Methods for updating the configuration of a programmable packet filtering device including a determination as to whether a packet is to be junked

ABSTRACT

Methods and systems for a PLD-based network update transport (PNUT) protocol that utilizes UDP and other protocols for transmitting update or other commands or information over a packet-based or IP network. PNUT is a hardware-based network communication protocol that does not require the full TCP/IP stack and may be utilized for exchanging commands and information with such PLD-based and other devices. Protocols may include a set of core commands and a set of custom commands. Logic components within the PLD-based devices may consist of a command dispatcher, a transmitter/controller, a MAC receiver, a MAC transmitter, a packet parser, a packet generator, and core receiving and transmitting commands. The present invention may be implemented without requiring CPU cores, special controllers, stringent timings, or operating systems as compared with conventional network protocols. Various methods for exchanging and updating PNUT commands are disclosed. The methods and systems of the present invention may be utilized to provide other functions, such as filtering, logging, polling, testing, debugging, and monitoring, and may be implemented between a server and a PLD-based device or solely between PLD-based devices.

This application is a continuation of U.S. application Ser. No.09/746,519, filed Dec. 21, 2000, now U.S. Pat. No. 7,031,267, which is acontinuation-in-part of U.S. application Ser. No. 09/611,775, filed Jul.7, 2000, now U.S. Pat. No. 7,013,482.

FIELD OF THE INVENTION

The present invention relates to systems and methods for hardware-basednetwork communication protocols, and more particularly to PLD-basedcommunication protocols for transmitting, receiving and configuring dataacross networks, including for use in devices such as data protectionsystems or firewalls.

BACKGROUND OF THE INVENTION

IP networking generally is based on two models: the OSI Reference Modeland the TCP/IP Reference Model. The OSI reference model definesstandards and boundaries for establishing protocols so that computersystems may effectively communicate with each other across opennetworks. As is known in the art, the OSI model is composed of sevenlayers with each layer corresponding to specific functions. The TCP/IPreference model defines standards for protocols and addressing schemesprimarily for packet-switching and routing data packets across theInternet. Both the OSI and TCP/IP models generally require the use ofsubstantial processing resources, such as CPU cores, specialcontrollers, and software-based operating systems in order to implementthe network “stack,” which not only make implementing heterogeneousnetworks costly, but also make managing system resources and softwaredifficult.

The present invention provides an alternative to these models and is alogic-based communication protocol, which can enable a wide variety ofdevices, including FPGA-based security devices, that are connected topacket networks to be updated or to otherwise send or receive commandsor information over the packet network. The present invention includessuch a PLD-based network update transport protocol, which is oftenreferred to herein as “PNUT”. In accordance with preferred embodimentsof the present invention, PNUT preferably is a UDP-based protocoldesigned to allow IP network-based systems to communicate with a varietyof networked devices that typically would be unsuited for suchcommunications because they do not include the necessary resources toimplement the traditional TCP/IP “stack.” Utilizing the PNUT protocol,however, such devices may send and/or receive update or other packets.

The PNUT protocol in accordance with preferred embodiments offersnumerous advantages over the traditional OSI- and TCP/IP models, whichtypically are considered to require a full network protocol stack. Anetwork stack often involves the use of buffers, which temporarily storedata for applications. A PLD-based implementation in accordance with thepresent invention, however, is “stackless” in that it does not requireor implement a full network stack. Since some level of buffering may benecessary or desirable, a PLD-based device can extract the data from thebit stream and buffer it to RAM, flip flops or Flash memory. Thus, aPLD-based device implementing a PNUT-type protocol in accordance withthe present invention can free up critical system resources, which maynormally be occupied by software applications.

Moreover, the PNUT protocol may be used to enable hardware-basedproducts to communicate over Ethernet or other preferably packet-basednetworks without requiring the use of CPU cores, special controllers,special buses, operating systems, or stringent timings. For example, thePNUT protocol can be implemented across a plurality of bus structures,such as PCI buses, ISA buses, VESA buses, USB ports, infrared ports(e.g., infrared serial data link), cardbuses (e.g., PC cards), etc. ThePNUT protocol, therefore, can dramatically reduce the speed and cost ofnetworking PLD-based devices, something that currently poses a barrierto the development of new markets for these devices.

While the present invention will be described in particular detail withrespect to PLD-based firewall-type systems, particularly the systemsdescribed in co-pending application Ser. No. 09/611,775, filed Jul. 7,2000 by the inventor hereof for “Real-Time Firewall/Data ProtectionSystems and Methods,” which is hereby incorporate by reference, thepresent invention also can be used for a wide range of home and officeequipment, including pagers, cell phones, VCRs, refrigerators, laptopcomputers, and security systems. The PNUT protocol also supports a hostof functions, such as filtering, updating, logging, polling, testing,debugging, and monitoring. In addition, the present invention addressesmany of the common problems with networking these devices, such as cost,speed, robustness, concurrency, versioning, error handling, IP addressmanagement, and heterogeneous network computing. The PNUT protocolprovides an inexpensive, extensible, and stackless method of networkcommunication between hardware-based home and office equipment.

SUMMARY OF INVENTION

The present invention provides what is referred to herein as a PLD-basednetwork update transport (PNUT) protocol that preferably utilizes UDP orother protocols for transmitting update or other commands or informationover a packet-based or IP network. It should be noted that, whileparticularly useful for updating PLD-type or other devices that do notincorporate or require the full TCP/IP stack, the present invention alsomay be advantageously utilized for exchanging commands and informationthat are not for “updating” such a device. As will be appreciated, theuse of a PNUT-type protocol in accordance with embodiments of thepresent invention may be more generally utilized for exchanging commandsand information with such PLD-based and other devices. It also should benoted that the present invention is not limited to the use of UDP as atransport layer, although UDP is desirably utilized in preferredembodiments to be explained hereinafter.

The present invention preferably utilizes programmable logic devices toperform, in a particular example, filtering and networking. In otherpreferred embodiments of the present invention, a PLD-based device, suchas a cell phone, PDA, or portable computer, can be updated, debugged,and monitored by using PNUT-type protocols. Protocols in accordance withpreferred embodiments preferably contain a set of core commands designedfor updating and controlling PLD-based devices, which may be utilizedfrom any suitable operating system. For example, PNUT commands, such asfor upgrading an FPGA-based device, may be downloaded from a Java-basedupdate station, which preferably supports Java version 1.1 or greater ona network server. It should be noted that the update station may consistof a plurality of software applications, such as Java, PERL, Python,C-based programs, etc., wherein preferably all of the applicationsemploy socket interfaces. Logic components within the FPGA preferablyconsist of a command dispatcher, a transmitter/controller, a MACreceiver, a MAC transmitter, and core receiving and transmittingcommands. In alternate embodiments of PLD-based devices, logiccomponents may also include a packet parser and packet generator. Anapplication program interface (API) may also be utilized to facilitatethe transfer of update or other commands for Java applets that serve ascommand servers.

Also in accordance with the present invention, devices, methods andsystems are provided for the filtering of Internet data packets in realtime and without packet buffering. A stateful packet filtering hub isprovided in accordance with preferred embodiments of the presentinvention. The present invention also could be implemented as part of aswitch or incorporated into a router, and may use PLD-basedcommunication protocols in accordance with the present invention.

A packet filter is a device that examines network packet headers andrelated information, and determines whether the packet is allowed intoor out of a network. A stateful packet filter, however, extends thisconcept to include packet data and previous network activity in order tomake more intelligent decisions about whether a packet should be allowedinto or out of the network. An Ethernet hub is a network device thatlinks multiple network segments together at the medium level (the mediumlevel is just above the physical level, which connects to the networkcable), but typically provides no capability for packet-type filtering.As is known, when a hub receives an Ethernet packet on one connection,it forwards the packet to all other links with minimal delay and isaccordingly not suitable as a point for making filtering-type decisions.This minimum delay is important since Ethernet networks only workcorrectly if packets travel between hosts (computers) in a certainamount of time.

In accordance with the present invention, as the data of a packet comesin from one link (port), the packet's electrical signal is reshaped andthen transmitted down other links. During this process, however, afiltering decision is made between the time the first bit is received onthe incoming port and the time the last bit is transmitted on theoutgoing links. During this short interval, a substantial number offiltering rules or checks are performed, resulting in a determination asto whether the packet should or should not be invalidated by the timethat the last bit is transmitted. To execute this task, the presentinvention performs multiple filtering decisions simultaneously: data isreceived; data is transmitted; and filtering rules are examined inparallel and in real time. For example, on a 100 Mbit/sec Ethernetnetwork, 4 bits are transmitted every 40 nano seconds (at a clock speedof 25 MHz). The present invention makes a filtering decision byperforming the rules evaluations simultaneously at the hardware level,preferably with a programmable logic device.

The present invention may employ a variety of networking devices inorder to be practical, reliable and efficient. In addition, preferredembodiments of the present invention may include constituent elements ofa stateful packet filtering hub, such as microprocessors, controllers,and integrated circuits, in order to perform the real time,packet-filtering, without requiring buffering as with conventionaltechniques. The present invention preferably is reset, enabled,disabled, configured and/or reconfigured with relatively simple togglesor other physical switches, thereby removing the requirement for a userto be trained in sophisticated computer and network configuration. Inaccordance with preferred embodiments of the present invention, thesystem may be controlled and/or configured with simple switchactivation(s).

An object of the present invention is to provide methods and protocolsfor network communications that carry out bit stream transport in realtime and without the use of a conventional network stack.

Another object is to provide hardware-based methods and systems fornetworking to a logic-based device.

It is another object of the present invention is to conduct packettransport without requiring an IP address.

A further object of the present invention is to maintain statefulnetwork transport functions for standard data transmission protocols.

Still a further object of the present invention is to support PLD-baseddevices so that they may easily update flash-based bit streams andconfiguration data.

Yet another object of the present invention is to provide a method andsystem of network communication protocols that do not require CPU cores,special controllers, stringent timings, or operating systems.

Another object is to enable PLD-based devices to communicate overnetworks without requiring the use of CPU cores, special controllers,stringent timings, or operation systems.

It is another object of the present invention to provide a method andsystem that is fully compatible with traditional IP programminginterfaces, such as sockets.

A further object is to conduct packet transport without requiring a MACor IP address.

Yet another object of the present invention is to provide a device,method and system for dealing with concurrency, versioning, networklatency, and error handling problems that are commonly associated withconventional network devices and applications.

Another object is to enable PLD-based devices to easily and efficientlycommunicate with networked computer systems and other PLD-based devices.

A further object of the present invention is to make it easier to writeprogramming code without having to address networking problems.

It is another object of the present invention to enable the developmentof low-cost, extensible networking devices.

The present invention has additional objects relating to the firewalland data protection systems, including in combination with PLD-basedcommunication protocols.

Accordingly, one object of the present invention is to simplify theconfiguration requirements and filtering tasks of Internet firewall anddata protection systems.

Another object is to provide a device, method and system for Internetfirewall and data protection that does not require the use of CPU-basedsystems, operating systems, device drivers, or memory bus architectureto buffer packets and sequentially carry out the filtering tasks.

A further object of the present invention is to perform the filteringtasks of Internet firewall protection through the use of hardwarecomponents.

Another object is to utilize programmable logic for filtering tasks.

Still another object is to provide a device, method, and system to carryout bitstream filtering tasks in real time.

Yet another object is to perform parallel filtering, where packet datareception, filtering, and transmission are conducted simultaneously.

A further object of the present invention is to perform the filteringtasks relatively faster than current state-of-the-art, software-basedfirewall/data protection systems.

Another object is to provide a device, method and system for firewallprotection without the use of a buffer or temporary storage area forpacket data.

Still another object of the present invention is to design a device,method and system that does not require software networkingconfigurations in order to be operational.

A further object of the present invention is to provide a device, methodand system for Internet firewall and data security protection thatsupports partitioning a network between client and server systems.

It is a yet another object of the present invention to provide a device,method and system for Internet firewall and data protection thatsupports multiple networking ports.

Another object is to maintain stateful filtering support for standarddata transmission protocols on a per port basis.

Still another object of is to configure network functionality usingpredefined toggles or other types of physical switches.

A further object of the present invention is to conduct packet filteringwithout requiring a MAC address or IP address to perform packetfiltering.

Yet another object of the present invention is to facilitate theshortest time to carry out bitstream filtering tasks.

Finally, it is another object of the present invention to be able toperform filtering rules out of order and without the currentstate-of-the-art convention of prioritizing the filtering rulesserially.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention may be more fully understood by a description ofcertain preferred embodiments in conjunction with the attached drawingsin which:

FIGS. 1A and 1B are application level diagrams illustrating exemplarydata protection systems in accordance with the present invention;

FIG. 2 is a flow diagram illustrating the components and operations of apreferred embodiment of the present invention;

FIG. 3 is a flow chart illustrating the basic functions of a repeatercore and four filter levels in accordance with preferred embodiments ofthe present invention;

FIG. 4 is a diagram illustrating filtering functions of Level 2 filtersin relation to the flow of packet data from internal and externalnetworks in accordance with preferred embodiments of the presentinvention;

FIG. 5 is a flow chart illustrating packet filtering functions of Level3 filters in accordance with preferred embodiments of the presentinvention;

FIG. 6 illustrates the rules by which TCP and UDP packets are evaluatedin parallel in accordance with preferred embodiments of the presentinvention;

FIG. 7 is a diagram illustrating parallel rule evaluation for TCP andUDP packets in accordance with preferred embodiments of the presentinvention;

FIG. 8 is a flow chart illustrating packet filtering functions of Level4 filters in accordance with preferred embodiments of the presentinvention;

FIG. 9 is a block diagram of the hardware components of a preferredembodiment of the present invention;

FIG. 10 is an illustration of an exemplary design of an external case inaccordance with preferred embodiments of the present invention;

FIGS. 11 and 12 are flow diagrams illustrating SYN flood protection inaccordance with preferred embodiments of the present invention; and

FIG. 13 is a flow chart illustrating the process of “garbage collection”in flood lists in accordance with preferred embodiments of the presentinvention.

FIG. 14 is a block diagram of an exemplary embodiment of a networkconfiguration in which PNUT-type commands may be transmitted between anupdate station and a PNUT-enabled device in accordance with the presentinvention;

FIG. 15 is a flowchart illustrating the transfer of PNUT-type commandsin an exemplary network configuration in accordance with the presentinvention, such as for updating a PLD-based device;

FIG. 16 is a more detailed block diagram of an additional exemplaryembodiment of a network configuration in which both core and customPNUT-type commands may be transmitted between an update station and aPLD-based device in accordance with the present invention;

FIG. 17 is a flowchart illustrating the transfer of core and customPNUT-type commands in an exemplary network configuration in accordancewith the present invention;

FIGS. 18-20 illustrate exemplary embodiments of browser-based GUIs of anupdate station, which are used in a preferred example for transmittingPNUT-type commands, such as for updating a PLD-based device;

FIG. 21 is a flowchart illustrating an exemplary embodiment of the useof PNUT-type commands by a PLD-based device, such as a data protectionsystem 1;

FIG. 22 illustrates an alternate embodiment of a network configuration,such as for updating a PLD-based device on one network with a PNUTcommand library located on another network;

FIG. 23 illustrates an exemplary embodiment of the implementation of thedata configurations of PNUT-type commands with a standard formattingspecification; and

FIG. 24 is an illustration of a plurality of exemplary PLD-based devicesand appliances, which may exchange PNUT-type commands in accordance withthe present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

The present invention will be described in greater detail with referenceto certain preferred and alternative embodiments. As described below,refinements and substitutions of the various embodiments are possiblebased on the principles and teachings herein.

FIG. 1A and FIG. 1B illustrate the physical positioning of a statefulpacket filtering hub in accordance with the present invention in twoexemplary network configurations. The packet filtering hub of theillustrated embodiments preferably serves as an Internet firewall/dataprotection system (hereafter “data protection system”).

With reference to FIG. 1A, in the illustrated embodiment data protectionsystem 1 is coupled through a port to router 2 (or cable modem or otherpreferably broadband, persistent network connection access device),which is linked through a broadband connection to other computer systemsand networks, exemplified by Internet 8 and Internet Service Provider(ISP) 10. Packets of data are transmitted from an ISP, such as ISP 10,via Internet 8 to router 2. The packets are transmitted to dataprotection system 1, which analyzes the packets in “real time” andwithout buffering of the packets, while at the same time beginning theprocess of transmitting the packet to the internal network(s) incompliance with the timing requirements imposed by the Ethernet or othernetwork standards and protocols. If a packet of data satisfies thecriteria of the rules-based filtering performed within data protectionsystem 1, which is executed in a manner to be completed by the time theentire packet has been received by data protection system 1, then it isallowed to pass to hub 6 as a valid packet, which may then relay thecleared packet to computers 4 a, 4 b, 4 c, etc. on the internal network.If a packet of data fails to meet the filtering criteria, then it is notallowed to pass as a valid packet and is “junked.” (Junking is definedas changing bits or truncating data, depending on the type of link, in amanner such that the packet is corrupted or otherwise will be detectedby the receiving computers as invalid or unacceptable, etc.) Without theintermediate positioning of data protection system 1, the packets wouldbe transmitted directly to unprotected hub 6, thereby exposing computers4 a, 4 b and 4 c to security risks. It should also be noted that hub 6is optional in accordance with the present invention; in otherembodiments, data protection system 1 may be directly connected to asingle computer or may have multiple ports that connect to multiplecomputers. Similar filtering is performed on packets that are to betransmitted from computers 4 a, 4 b, and 4 c to Internet 8.

With reference to FIG. 1B, in this illustrated embodiment dataprotection system 1 is coupled via one port to DSL router 2 (again, thenetwork access device is not limited to a DSL router, etc.), whichprovides the broadband connection to Internet 8. As with the embodimentof FIG. 1A, data protection system 1 also is coupled to a number ofcomputers 4 a, 4 b, etc., on the internal network, and serves to providefiltering for packets between computers 4 a and 4 b and Internet 8 inthe manner described in connection with FIG. 1A. In this embodiment,data protection system 1 is also connected via another port to hub 6,which serves as the main point of contact for incoming connections fromthe Internet for bastion hosts 5 a and 5 b, etc. In accordance with thisembodiment, packets are transmitted to router 2 and then to dataprotection system 1. If the packets are approved by data protectionsystem 1 (i.e., passing the filtering rules/checks performed with dataprotection system 1 while the packet is being received and transmitted),then the packets are allowed to pass as valid packets to computers 4 a,4 b and hub 6. (The rules-based filtering process of preferredembodiments of the present invention will be described in more detailhereinafter.) Hub 6 may relay the packets to other internal hostcomputers 5 a, 5 b, etc., on the local area network (LAN). Thesecomputers may include, for example, a Web and FTP server 5 a, or astreaming audio server 5 b, etc. Thus, in accordance with theillustrated embodiment, packets that passed the filtering rules/checksare passed as valid packets to computers, such as protected internalhost computer 4 a, which as illustrated may be connected to printer 7.In this particular embodiment, a bastion port is provided that may beused to service more than one bastion host. In other embodiments,different network configurations may be utilized in accordance with thepresent invention.

FIG. 2 illustrates the general components and operations of certainpreferred embodiments of the present invention. Connection to externalnetwork 12 is made by physical interface 14. Physical interface (or PHY)14 preferably is implemented with commercially available, physical layerinterface circuits, as are known in the art (such physical layerinterface circuits may be off-the-shelf components, the interface towhich is specified in the Ethernet IEEE standard 802.3u.). At a minimum,the data protection system must contain two PHY interfaces: one for theInternet or other external network connection, and one (or more) for theinternal network. It should be noted that, in preferred embodiments, PHYcontrollers are utilized, which implicitly assumes Ethernet-typeconnections. In other embodiments in accordance with the presentinvention, other types of PHY interfaces and controllers are utilizedfor different networking standards.

Repeater core 16 functions as an Ethernet repeater (as defined by thenetwork protocols of the IEEE standard 802.3) and serves to receivepackets from external PHY 14, reshape the electrical signals thereof,and transmit the packets to internal PHY 18, which is coupled tointernal network 20. While the packet is being received, reshaped, andtransmitted between PHYs 14 and 18, however, it is simultaneously beingevaluated in parallel with filtering rules to determine if it should beallowed to pass as a valid packet (as will be described in greaterdetail elsewhere herein). As with the discussion regarding the PHYinterfaces and controllers, changes in networking standards may alterthe components functionality (such as the characteristics of repeatercore 16), but not the basic parallel, real-time packet filtering inaccordance with the present invention. (In an alternate embodiment, forexample, the data protection system may use switch logic or routerlogic; in full duplex, the same principles apply.)

The parallel filtering preferably consists of packet characteristicslogic 22, packet type filters 26, and state rules filters 42. Packetcharacteristics logic 22 determines characteristics based on packet data(preferably in the form of 4-bit nibbles from PHY 14), whereas packettype filters 26 make filtering decisions generally based on packet type.State rules filters 42 perform rules-based filtering on several levelssimultaneously. The results of filtering by packet type filters 26 andstate rules filters 42 are combined by aggregator 24, which may beconsidered a type of logical operation of pass/fail signals (describedin greater detail elsewhere herein). In preferred embodiments, if anyone or more of the performed filtering rules indicates that the packetshould be failed (or not allowed to pass as a valid packet), then theoutput of aggregator 24 is a fail; otherwise, the packet is allowed andthe output of aggregator 24 is a pass. Thus, as packet data is beingreceived and transmitted from PHY 14 to PHY 18 via repeater core 16, itis being evaluated in parallel via packet type filters 26 and staterules filters 42 (based in part on packet characteristics determined bylogic 22 from the data received from PHY 14). In accordance with thepresent invention, the results of filtering by packet type filters 26and state rules filters 42 are provided to aggregator 24 by the timethat the entire packet reaches repeater core 16, so that, based on theoutput of aggregator 24, the packet will either be allowed to pass as avalid packet or will be failed and junked as a suspect (or otherwiseinvalidated) packet.

Packet characteristics logic 22 receives packet data from PHY 14 andexamines the packet data to determine characteristics, such as thepacket type, datagram boundaries, packet start, packet end, data offsetcounts, protocols, flags, and receiving port. The packet type mayinclude, for example, what are known in the art as IP, TCP, UDP, ARP,ICMP, or IPX/SPX. Such packet characteristics data is provided to packettype filters 26. Packet type filters 26 preferably make a decision aboutwhether the packet should be passed or failed, with the result beingtransmitted to aggregator 24. In accordance with preferred embodiments,packet type filters 26 do not require the use of what may be consideredan extensible rules system. The filters of packet type filters 26preferably are expressed as fixed state machines or may be expressedusing more flexible rules syntax. What is important is that packet typefiltering is performed by filters 26 in the shortest time intervalpossible and in parallel with the packet data being received andtransmitted to internal PHY 18, so that a pass/fail determination may bemade prior to the time when the entire packet has been received byrepeater core 16.

State rules filters 42 receive packet characteristics data from logic 22and, based on this data as well as cached/stored connection andcommunication state information, executes a plurality of rules under thecontrol of rules controller 28, preferably using a plurality of rulesengines 36-1 to 36-N, so that a desired set of filtering decisions arepromptly made and a pass/fail determination occurs before the entirepacket has been received by repeater core 16. State rules filters 42preserve a cache of information 30 about past network activity (such asIP addresses for established connections, port utilization, and thelike), which is used to maintain network connection state informationabout which hosts have been exchanging packets and what types of packetsthey have exchanged, etc. Rules controller 28 preferably accesses rulesmap table 32 based on packet characteristics information, which returnsrules dispatch information to rules controller 28. Thus, based on theconnection state information stored in connection cache 30 and thecharacteristics of the packet being examined, rules controller 28initiates filtering rules via a plurality of rules engines 36-1 to 36-Nthat simultaneously apply the desired set of filtering rules inparallel. (Preferably, N is determined by the number of rules that needto be performed in the available time and the speed of the particularlogic that is used to implement state rules filters 42.)

As will be appreciated, while the packet pass/fail decision is beingmade in real time, and thus must be concluded by the time that theentire packet has been received, a large of number of filtering rulesmust be performed quickly and in parallel. Preferably, rules controller28 utilizes a plurality of rules engines 36-1 to 36-N, which logicallyapply specific rules retrieved from corresponding storage areas 40-1 to40-N. Rules controller 28, based on the connection state and packetcharacteristics, determines which rules should be run based on whichinformation. The rules to be run are then allocated by rules controller28 to the available rules engines 36-1 to 36-N. As each rules engine36-1 to 36-N may be required to execute multiple rules in order tocomplete the filtering decision process in the required time,corresponding queues 34-1 to 34-N are preferably provided. Thus, rulescontroller 28 determines the list of rules that should be performed(again, based on the stored connection state and packet characteristicsdata) and provides the list of rules (and accompanying information tocarry out those rules) to the plurality of rules engines 36-1 to 36-Nvia queues 34-1 to 34-N. Rules engines 36-1 to 36-N, based on theinformation from the queues 34-1 to 34-N, look up specific ruleinformation from storage areas 40-1 to 40-N, carry out the rules, andpreferably return the results to rules controller 28. As the rules areessentially conditional logic statements that notify the data protectionsystem how to react to a particular set of logical inputs, it has beendetermined that providing a plurality of rules engines may enable thenecessary decision making process to quickly provide the outcome of therules-based filtering by the time the entire packet has been received.

Still referring to FIG. 2, rules controller 28 preferably uses rules maptable 32 to dispatch the rules to rules engines 36-1 and 36-N, so that afiltering decision may be reached in the optimal amount of time. In apreferred operation, each rules engine extracts a rule ID from itsqueue, looks up the rules definition in its own rules table 40-1 to40-N, evaluates the rule, returns the result to rules controller 28, andlooks for another rule ID in its queue 34-1 to 34-N. The results frompacket type filter 26 and rules controller 28 are combined into oneresult via aggregator 24: pass or fail. If a decision is not reachedbefore the end of the packet is transmitted, then in preferredembodiments the packet will be processed as an invalid packet andjunked.

It should be appreciated that the data protection system must make afiltering determination before the current packet is completelytransmitted. Since the networking standards impose strict timingthresholds on the transit delay of packets, filtering is performed inreal time, in parallel and without buffering the packet. (The transitdelay threshold is the time it takes to get from the transmittingstation to the receiving station.) Given that a filtering decision mustbe made in real time (before the last bit is received and forwarded tothe applicable interfaces), the filter rules are evaluated in parallelby rules engines that possess independent, direct access to the rulesset collected in storage areas 40-1 and 40-N, which are preferablyimplemented as RAM tables. (In a preferred embodiment of data protectionsystem 1, the tables are implemented using on-chip, dual port RAM up to4K in size. A programmable logic device, such as Xilinx Spartan IIXC2S100, has 40K dual port synchronous block RAM. For example, aninitial 110-bit segment of the rules controller RAM block may be a rangetable that delineates where each look up code begins and what the numberof entries are.) Rules controller 28 dispatches the rules to each rulesengine by placing a rules ID entry in a queue. Because each rules engineis assigned its own queue, a pipeline is created allowing the rulesengine to continuously run and operate at maximum efficiency.

To operate efficiently the rules engines must also be capable ofevaluating rules in any order. In accordance with the preferredembodiments, each rule has a priority and the highest priority result isaccepted. Therefore, the rules must be evaluated in any order yet stillobtain the same result, as if the rules were being evaluated seriallyfrom highest to lowest priority. This operation is accomplished inpreferred embodiments by rules map table 32, which notifies rulescontroller 28 which rule is assigned to which rules engine. Thus, thisdecision is statically determined based on the rules set and the numberof rules engines. It should be noted that the rule set in general isgreater than the number of rules engines.

FIG. 3 is a flow chart illustrating further aspects of preferredembodiments of the present invention. As previously described, preferredembodiments of the data protection system 1 utilize programmable logic,or other suitable preferably hardware-based logic, to perform a largenumber of filter rules in parallel and at high speed. Such embodimentsmay be considered to provide an external interface, for instance, to theInternet, to external network 12, and one or more internal networkinterfaces, such as to internal network 20 and/or to bastion network 15(see, for example, FIGS. 1A and 1B). As repeater core 16 (or the PHYs inFIG. 2) receives and transmits packet data, the packet is simultaneouslysubjected to a plurality of filtering rules. At step 44, the packetcharacteristics are determined (which, as previously described, mayinclude protocol, addresses, ports, flags, etc.). The filtering rulesare based on the packet characteristics, connection state information(depending upon the particular rules), and/or toggle or other physicalswitch state information. This filtering process may be represented byfiltering steps 46, 48, 50 and 52, which, as depicted in FIG. 3, areperformed at least in substantial part in parallel, and thus can makefiltering decisions by the time the packet has been completely received.

As illustrated, after the packets are transmitted to repeater core 16,their characteristics are analyzed at step 44. Data packets generallyconsist of several layers of protocols that combine to make a protocolstack. Preferably, each layer of the stack is decoded and theinformation is passed to various filter blocks, as exemplified in steps46, 48, 50 and 52. In accordance with the present invention, thisfiltering process is executed in parallel and in real time. In otherembodiments, a variety of filter blocks or rules-based filters may beemployed, incorporating parallel execution, real-time filtering, etc.,as may be necessary to complete the filtering decision in the requiredtime.

Referring again to preferred embodiments illustrated in FIG. 3, Level 2filters at step 46 may examine information in the link layer header forall incoming packets and decide whether a packet should be junked basedon the packet protocol. While Level 2 filters preferably distinguish thepacket type, Level 3 filters at step 48 and Level 4 filters at step 50preferably distinguish IP datagram characteristics. Level 3 filters atstep 48 may examine information in the networking layer headers. (Forthe IP protocol, these headers would equate to the ARP, RARP, IP, ICMP,and IGMP protocol headers.) Level 4 filters at step 50 preferablyoperate by examining IP, TCP and UDP headers along with data transmittedbetween the client and server processes, utilizing two techniques:stateful and non-stateful packet filtering. (Level 2, 3 and 4 filtersare described in greater detail elsewhere herein.) Preferably a spoofcheck filter at step 52 detects whether the packet originated from anauthorized IP address or not. To determine whether the packet should beallowed to pass as a valid packet, the filters must implement rules inparallel preferably based on programmable logic and register one of twovalues: pass or fail. After the values are registered, the outcome iscollected in result aggregator 24, which logically combines the resultsto determine if the packet should be allowed to pass as a valid packetor should be denied as an invalid one. If the packet is passed, thenrepeater core 16 continues to send correct bits. If the packet isfailed, then it is junked.

In accordance with preferred embodiments of the present invention asillustrated in FIG. 3, a spoof check is performed on all packetsentering a port at step 52. To prevent IP spoofing, the spoof checkfiltering of step 52 monitors IP addresses from the internal network anddiscards any incoming packets with IP source addresses that matchinternal IP addresses. A spoof check ensures that a host on one networkis not trying to impersonate a computer on another network, such as acomputer on the Internet assuming the IP address of a computer connectedto an internal port. In accordance with preferred embodiments, spoofedpackets are always junked by the data protection system. In suchembodiments, the data protection system performs this check by keepingtrack of the IP addresses of packets arriving on the internal andbastion ports. The source and destination addresses of each packet arechecked against the known port addresses to ensure they are valid forthe appropriate port.

FIG. 3 also illustrates alarm controller 53, which preferably is coupledto result aggregator 24. Alarm controller 53, which could be a separatelogic block or within the result aggregator, receives signals indicatingwhen packets are being rejected, either directly from the logicperforming the filtering or from result aggregator 24. As described ingreater detail elsewhere herein, alarm controller 53 desirably isutilized to provide visual feedback of the system status or operation(such as whether the data protection system is under attack) via LED(s)54 (or other light source, LCD, or other alphanumeric or graphicdisplay, etc.); alarm controller 53 also may be coupled to an audiofeedback device, such as speaker 55, which similarly may be used toprovide audio feedback of the system status or operation. For example,if a packet is rejected; a first visual indication may be provided viaLED(s) 54 (e.g., yellow light); if packets are being rejected in amanner or at a rate that suggests an internal computer is under attack,then a second visual indication may be provided via LED(s) 54 (e.g., ared light). Similarly, first and second tones or other audibleindicators (different tones, volumes, sequences, etc.) may be providedvia speaker 55 to indicate the detected condition). In preferredembodiments, such feedback, audio and/or visual, may maintain the alertstate until reset by the user, such as by depressing a toggle. Thus, ifthe internal system has been determined to be under attack while theuser is away, this fact will be made known to the user when the userreturns and sees and/or hears the visual and/or audio feedback. It alsoshould be noted that alarm controller 53 also may generate a UDP packet(indicated by the dashed line that is coupled to internal network 20)that informs the internal client computer of the attack or suspectedattack, thereby providing an additional optional mechanism to inform theuser of suspect activity.

FIG. 4 illustrates exemplary packet filtering functions of Level 2-typefiltering in relation to the flow of packet data from internal andexternal networks. External PHY 12 receives packet electrical signalsoff the physical wire or other medium. Similarly, internal PHYs 18 and58 receive packet electrical signals from internal network 20 or bastionnetwork 15, respectively. Packet data comes in from one of PHYs 12, 18or 58 to PHY controller 56. PHY controller 56 in general receivesincoming data from network PHYs 12, 18 or 58, detects collisions,indicates the start and end of packet data, and forwards the packet datato other appropriate components of the data protection system (such asdescribed herein). From PHY controller 56, data from the packet beingreceived, along with information indicating which PHYs are active (i.e.,on which PHY a packet is being received and to which PHYs the packet isbeing transmitted, etc.), and the packet is reshaped and transmitted inreal time via block 60 (i.e., the packet is not received into a buffer,after which it is sequentially processed to determine if the packetshould be allowed to pass, etc., as in conventional firewalls). In thecase of a packet received from Internet 8, the packet is received by PHYcontroller 56 from external PHY 12, and reshaped and transmitted inreal-time to the internal PHY 18 and/or bastion PHY 58.

As will be appreciated, block 60 in essence performs the repeaterfunctionality of passing the incoming data to the non-active PHYs afterreformatting the preamble. Block 60 also preferably receives “junk” or“pass” signals from the filtering components and a collision detectionsignal from PHY controller 56. In preferred embodiments, a “jam” signalis propagated to each PHY upon detection of a collision. A packet isinvalidated for all PHYs that belong to a network category that receivesa “junk” signal. (For example, if the packet is invalidated for internalnetworks, then the packet is invalidated for all internal networkports.) Preferably, block 60 also receives a single output signal fromresult aggregator 24 for each PHY category (i.e., internal or external).As will be explained in greater detail hereinafter, result aggregator 24generates the signals provided to block 60 based on “junk” or “pass”signals from each filter component.

In accordance with the present invention, the packet is alsosimultaneously routed through a plurality of filtering steps. In theexemplary illustration of Level 2 filters in FIG. 4, the packet type isdetermined at step 64. At step 64, the network packet is examined todetermine the enclosed Level 3 datagram type, such as ARP, RARP, IP, orIPX. This information is used to perform Level 2 filtering and to decidehow to deconstruct the enclosed datagram to perform Level 3 filtering.If an unknown packet type is received from the external network, thenthe packet preferably is junked if filtering is enabled. Unknown packettypes received from the internal network preferably are forwarded toother hosts on the internal network and may be forwarded to the bastionport, but are not forwarded to the external network.

If it is a known packet type, then it is routed through additionalfiltering steps based on particular packet protocols. In the illustratedembodiment, at step 66, if the packet is an Address Resolution Protocol(ARP) type packet, then it is passed. At step 68, if the packet is aReverse Address Resolution Protocol (RARP) type packet and is fromexternal PHY 12 and the op code is 3, then it is junked; otherwise, itis passed as indicated at step 70. As is known in the art, RARPgenerally is a protocol used by diskless workstations to determine theiraddress; in accordance with preferred embodiments, RARP responses arethe only RARP packets allowed to enter internal networks from externalhosts. At step 72, if the packet is an Internet Protocol (IP) typepacket, is from the external PHY and has been broadcast, then it isjunked. (For example, broadcast packets from the external networkpreferably are not allowed; a broadcast packet is determined byexamining the IP address or the physical layer address). Otherwise, theprocess proceeds to step 74. Step 74 preferably examines the IP header,which contains a protocol fragment where an application can placehandling options. Certain options (such as the illustrated list) may beconsidered to provide internal, potentially sensitive networkinformation, and thus packets that contain these options preferably arenot allowed into the internal network. At step 74, if a handling optionof 7, 68, 131, or 137 is present, then the packet is junked; if theseoptions are not present, then the process proceeds to filter IP packetstep 76 (exemplary details of step 76 are explained in greater detailhereinafter). If the packet passes the filtering rules applied in filterIP packet step 76, then the packet is passed, as indicated by step 78.If the packet does not pass the filtering rules applied in filter IPpacket step 76, then the packet is junked.

As illustrated in FIG. 4, any signals indicating that the packet shouldbe junked are provided to result aggregator 24, as indicated by line 73.The filtering results are thus routed to result aggregator 24, whichrecords whether any of the packets were junked and thus invalidated.Result aggregator 24 provides one or more signals to the logic of block60 at a time early enough so that a Frame Check Sequence (FCS) charactermay be altered to effectively invalidate the packet. Therefore, prior tocomplete forwarding of the packet, the filtering decision is made andthe FCS character is either altered in order to ensure that it iscorrupted, if the packet is to be junked, or forwarded unchanged, if thepacket is to be passed. In effect, a system in accordance with thepresent invention acts like a hub or repeater by receiving packetnibbles (2 or 4 bits at a time) on one interface wire and bybroadcasting those nibbles on other interfaces. Thus, the dataprotection system cannot make a decision about a packet beforeforwarding the nibbles on the non-receiving interfaces since this mayresult in an inoperable Ethernet network. If the system is enabled tofilter a packet, it must still transmit data while receiving data toensure the Ethernet network functions correctly and efficiently. Thedata protection system filters packets by transmitting a nibble on thenon-receiving interfaces for each collected nibble on the receivinginterface, but ensures that the Ethernet packet FCS character is notcorrect if the packet is suspect. Thus, the sending station may perceivethat it successfully transmitted the packet without collision, but infact all receiving stations will discard the corrupted packet. It shouldbe noted that, in alternative embodiments, in lieu of or in addition tothe selective alteration of a FCS or checksum-type value, the datacontents of the packet also may be selectively corrupted in order toinvalidate packets. In such embodiments, the packet contents areselectively altered to corrupt the packet (e.g., ensure that thechecksum is not correct for the forwarded packet data or that the datais otherwise corrupted) if the packet did not pass the filtering rules.

FIG. 4 also illustrates physical switch or toggle 62, the state of whichcan be used to enable or control packet filtering in accordance with thepresent invention. The state of switch/toggle 62 is coupled to the dataprotection system in a manner to enable or disable packet filtering. Inthe illustrated example, the state of switch/toggle 62 is coupled to thelogic of block 60; if, for example, packet filtering is disabled, thenblock 60 can receive and forward packets while disregarding the outputof result aggregator 24 (alternatively, result aggregator 24 can becontrolled to always indicate that the packet should not be invalidated,etc.). In other embodiments, the state of such a switch/toggle cancontrol result aggregator 24 or all or part of the particular filteringsteps. As will be appreciated in accordance with the present invention,the data protection system may be controlled and configured withoutrequiring the implementation of complex software. The data protectionsystem preferably utilizes toggle buttons or other physical switches toselectively enable various functions, such as Internet clientapplications, Internet server applications, and filtering features. Thesystem, for example, also may contain a button for retrieving updatedcore logic or filtering rules from a data source. The data source forsuch updating of the core logic may include a wide range of forms ofdigital media, including but not limited to a network server, a floppydisk, hard drive, CD, ZIP disk, and DVD. Configuration, therefore, maybe determined by physical interface components attached or linked to thesystem.

Referring to FIG. 5, additional details of preferred filter IP packetstep 76 will now be described. FIG. 5 is a flow chart illustrating thepacket filtering functions of the Level 3 filters first illustrated inFIG. 3. At step 81, the Level 3 filtering processes determine the IPdatagram characteristics, which preferably include: datagram type (ICMP,IGMP, TCP, UDP, unknown); source and destination IP addresses; fragmentoffset; and fragment size. Based on the IP datagram characteristics,further filtering operations are performed. Preferred functions forLevel 3 filtering will now be described in greater detail.

At step 80, if the IP datagram type is unknown, then the fail signal isset, sending a signal to the result aggregator that the packet should beinvalidated. At step 82, if the IP datagram type is Internet GroupManagement Protocol (IGMP), then the fail signal is set, preventing‘GNU’ packets from passing. At step 84, if the type is Internet ControlMessage Protocol (ICMP) and the packet is from the external PHY, thenthe filtering proceeds to step 88. At step 84, if the type is ICMP andthe packet is not from the external PHY, then the packet is passed asindicated by step 86. At step 88, if the type is ICMP, and the packet isfrom the external PHY and does not contain a fragment offset of 0, thenthe fail signal is set, preventing fragmented ICMP packets from passing,as indicated by step 90; otherwise, the filtering proceeds to step 92.At step 92, if the type is ICMP, the packet is from the external PHY andcontains a fragment offset of 0, then the packet type is furtherevaluated for request and exchange data. This data preferably includesone of the following ICMP message types: 5 for redirect; 8 for echorequest; 10 for router solicitation; 13 for timestamp request; 15 forinformation request; or 17 for address mask request. Accordingly, if thepacket type satisfies the criteria for step 92, then the fail signal isset as indicated by step 96. Otherwise, the packet is allowed to pass,as indicated by step 94. As will be appreciated, the ICMP filteringbranch serves to keep potentially harmful ICMP packets from enteringfrom the external network. (The listed message types represent anexemplary set of ICMP packets that may expose the internal networktopology to threats or cause routing table changes.)

If IP datagram characteristics indicate that the packet is aTransmission Control Protocol (TCP) or User Datagram Protocol (UDP)packet, then the filtering proceeds to step 98. At step 98, it isdetermined whether the packet is a fragment 0 packet. If it is not, thenthe packet is allowed to pass, as indicated by step 100. This filteringprocess follows the convention of filtering only the first fragments, assubsequent fragments will be discarded if the first one is not allowedto pass; in other words, the data protection system ignores all but thefirst packet of a TCP or UDP datagram. At step 104, if the packet is TCPor UDP and is a first fragment packet, then it is determined whether aproper protocol header is included in the fragment; if it is not, thenthe fail signal is set as indicated by step 102 (in the illustratedembodiment all TCP and UDP packets that have improper headers arejunked). If the packet is TCP or UDP, is a first fragment, and a properprotocol header is included in the packet, then the filtering proceedsto step 106 (further exemplary details of which will be described inconnection with FIG. 6).

FIG. 6 is a flow chart that illustrates a preferred example of how TCPand UDP packets are evaluated in parallel in accordance with the presentinvention (see, e.g., the multiple rules engines and related discussionin connection with FIG. 2 and the Level 4 filters of FIG. 3). As isknown, TCP and UDP are host-to-host protocols located in the TransportLayer of the protocol stack. FIG. 6 illustrates how packet data 108 isunbundled and decoded for packet characteristics at step 110 (e.g., IPaddresses, ports, flags, etc.) as well as for packet type and PHYactivity at 112 (i.e., whether it is an internally generated packet oran externally generated one). In the preferred embodiments, the packetsare evaluated in parallel according to the following rules.

As indicated at step 114, if the internal port number is 68 and theexternal port number is 67, then the packet is passed, regardless ofwhether it originated on the internal network or the external network.As indicated at step 116, if the packet type is TCP, the server-mode isenabled (such as may be controlled by a toggle or other physicalswitch), the external PHY is active, and the internal port number is 80,then the packet is passed to the internal network(s). (The server modeis explained in greater detail in connection with FIG. 7 below). Asindicated at step 118, if the packet type is TCP and either theAcknowledge (“ACK”) bit or Final (“FIN”) bit is set, then the packet ispassed, regardless of whether it originated on the internal network orthe external network. As indicated at step 120, if the packet type isTCP and an internal PHY is active, then the packet is passed to theexternal network. As indicated at step 122, if the packet type is UDP,an internal PHY is active, and the external port number is 53, then thepacket is passed to the external network and the communication state(e.g., source and destination port numbers) is stored as indicated bycomm or communication state store 124. As indicated at step 126, if thepacket type is UDP, the external PHY is active and the external portnumber is 53, then the packet is passed to the internal network(s) ifthere is a match in the communication state. As indicated at step 128,if the packet type is TCP, an internal PHY is active, the external portnumber is 21, the Synchronize Sequence Numbers (“SYN”) bit is not setbut the ACK bit is set, and the packet is a PORT command, then thepacket is passed to the external network and the client (internalnetwork) active port is determined and the communication state isstored. As indicated at step 130, if the packet type is TCP, theexternal PHY is active, the external port number is 20, and the SYN bitis set but the ACK bit is not set, then the packet is passed to theinternal network(s) if there is a communication state match. Asindicated at step 132, if all checks have been completed, then acomplete signal is set, and signals indicative of whether the packetpasses to internal or external network(s) as previously described arebitwise logically ORed to generate pass internal and pass externalsignals, as illustrated. It should be noted that, in preferredembodiments, if the completion signal is not generated by the time thatthe packet has been completely received, then the packet is junked.

Referring now to FIG. 7, Level 4 filtering in accordance with thepresent invention will be further described. The embodiment of FIG. 7 isa table-based filter, which uses an approach similar to that describedin connection with FIG. 2. This approach preferably utilizes aprogrammable logic device (PLD) that includes low latency, high-speedROM and RAM blocks.

As previously described, Level 4 filtering is based on TCP and UDPpacket characteristics, the determination of which is illustrated inFIG. 7 by block 133. TCP and UDP characteristics, as noted elsewhereherein, may include not only source and destination port numbers, butalso the state of the SYN, ACK, FIN and/or RESET flags in the case ofTCP packets. The TCP/UDP characteristics are determined by the TCP/UDPheader information. The TCP/UDP characteristics and active PHYinformation are used in the generation of a lookup code, which in theembodiment of FIG. 7 is coupled to rules dispatcher 134. Rulesdispatcher 134 uses a lookup code to determine the filtering rules to beapplied to a packet and then places the identifiers of the rules to berun in queues 138-1 to 138-N for each of the rules engines 140-1 to140-N. Mapping table 136 is coupled to and receives address data fromrules dispatcher 134. Mapping table 136 preferably is a ROM block thatidentifies the rules associated with each lookup code and the rulesengine for which each rule is to be dispatched. The mapping data for therules and rules engines are returned to rules dispatcher 134.

The identifiers of the rules to be run are dispatched by rulesdispatcher 134 to the appropriate queues 138-1 to 138-N, which arepreferably FIFO-type structures that hold the rule identifiers forcorresponding rules engines 140-1 to 140-N. Queues 138-1 to 138-N notonly enable rules dispatcher 134 to assign rules at maximum speed, butalso allow each rules engine to retrieve rules as each one is evaluated.The rules engines 140-1 to 140-N are a plurality of filteringengines/logic that use a rule table to read a definition specifyingwhether a rule applies to a packet and whether the packet passes orfails the rule test. Rules tables 142-1 to 142-N preferably are ROMblocks that contain a definition of a set of filtering rules that arecontrollably run by the rules engines 140-1 to 140-N. Rules tables 142-1to 142-N may contain different rules as may be appropriate to provideall of the rules necessary to adequately filter packets within thetiming constraints imposed by the real-time filtering of the presentinvention, and the speed of the hardware used to implement the dataprotection system.

In addition, as illustrated in FIG. 7, rules engines 140-1 to 140-N mayreceive as inputs signals indicative of a stored communication state, IPdatagram characteristics, or physical switch/toggle states. As indicatedby block 148, toggles may be utilized for a variety of features, such asenabling web client, web servers or other user-defined features. With atleast some of the executed rules based on the stored communicationstate, stateful rules are implemented with the illustrated embodiment. Acommunication state table or cache is provided. A cache of communicationstate information between different hosts provides a set of bits thatrepresent rule defined state information. For example, source anddestination port information may be stored in the cache and used forstate-dependent filtering.

In the illustrated embodiment, communication state information fromrules engines 140-1 to 140-N may be provided to result aggregator 144,which in turn may store the communication state information to thecommunication state cache or storage area. Result signals, representingpass or fail of the packet based on the applied rules, also are providedto result aggregator 144. Result aggregator 144 combines the pass/failresults signals and provides a pass or junk signal or signals, which maybe provided to the repeater core or to another result aggregator.

FIG. 8 illustrates an alternative preferred embodiment, in which theLevel 4 filtering is implemented with a register-based filteringmethodology. As with the Level 4 filtering of FIG. 7, both statefulfilters 154 and non-stateful filters 153 may be implemented. As with theembodiment of FIG. 7, Level 4 filtering requires that TCP and UDP packetcharacteristics be determined, as illustrated by box 150. In addition tothe Level 3 packet characteristics, Level 4 filters in accordance withthis embodiment also require the source and destination port numbers andthe TCP header values for the SYN, RST, FIN flags and the ACK value.This information preferably is used by both non-stateful and statefulfilters 153 and 154. The implementation of the non-stateful filters isexecuted with a state machine or other logic preferably in the PLD thatcompares characteristics to the allowed non-stateful rules and makes ajudgement as to whether the packet should be passed or failed. Thenon-stateful rules engine/logic uses a set of static rules to decide ifa packet is allowed to pass through the firewall. These rules preferablyare specified using a combination of control inputs, active PHY, andnetwork packet characteristics.

Stateful filters are implemented to handle communication channelinteractions that span multiple transmissions between hosts. Theinteractions typically occur at the Application Layer of the protocolstack, where examples may include FTP, RealAudio, and DHCP. Theseinteractions may also take place at lower levels in the protocol stack,such as ARP and ICMP request/response.

In this embodiment, stateful filters 154 use protocol front-end andprotocol back-end logic, along with a plurality of state registers toimplement state-dependent filters. Each protocol that requires statefulpacket filtering preferably has protocol handlers in the form offront-end and back-end logic, which decide when to issue a pass signalfor a packet or store the identifying characteristics of a bitstream forlater reference. Front-end logic 160-1 to 160-N monitors the networktraffic to identify when the current communication state needs to bestored, deleted or updated. Front-end logic 160-1 to 160-N informs acorresponding back-end logic 158-1 to 158-N that a register will beallocated for storage for a bitstream. All store and delete stateregister requests are sent to back-end logic 158-1 to 158-N so it mayupdate its internal information. Register controller 155 controls theactual selection of registers in state registers 156 and informs thecorresponding back-end logic 158-1 to 158-N. Back-end logic 158-1 to158-N monitors which state registers are dedicated to its protocol andissues a pass signal for packets that match an existing bitstream, asindicated by the appropriate packet characteristics and a matching stateregister. It should be noted that in alternate embodiments, differentorganizations of the functions of the programmable logic may beimplemented in accordance with the present invention, incorporatingvarious types of protocol handlers and state registers, as may benecessary.

Register controller 155 consolidates multiple store and clear signalsfrom the various front-end logic 160-1 to 160-N and directs them to theappropriate registers in state registers 156. Register controller 155also informs the various back-end logic 158-1 to 158-N which registersof state registers 156 are to be used for storage. The registers ofstate registers 156, under control of register controller 155, store thecommunication state of a bitstream; for example, a particular registerrecords information about the two communication ends of the bitstreamand also monitors each network packet to see if it matches the storedend-point characteristics. State registers 156 then sets a signal whenits state matches the current packet characteristics. A “garbagecollection” function also is implemented (as further illustrated in FIG.13 below) to help free up state registers when the protocol informationduring the three-way handshake is not accessed within specific timeframes.

As is known in the art, many protocols provide a way of identifying theend of a communication session. Accordingly, in preferred embodimentsthe data protection system detects when a stateful stream ends and freesup the associated state registers. Since clients and servers do notalways cleanly terminate a communication session, the system preferablyimplements session time-outs to free state registers after a period ofbitstream activity and to prevent indefinite state register exhaustion.If the network experiences a high rate of bitstreams requiring statefulinspections, the system's resources, which are allocated to trackingapplication data, can become exhausted. In this case, the systempreferably resorts to allowing network traffic based on a set of staticrules to pass through the non-stateful rules designed specifically foreach protocol. This stateful to non-stateful transition is called“stateful relaxation.” To maintain maximum security, a protocol handlerthat cannot gain access to an open state register will free up all ofits state registers to help prevent other protocol handlers fromentering into a relaxation state. The system will then wait for a stateregister to open, start a timer, and record protocol communication datain the state registers, while relying on the static rules. When thetimer expires, the state filter will cease relying upon the static rulesand approve packets solely on state register information.

FIG. 8 also illustrates toggle 152, which, in the additional illustratedexample, selectively enables FTP (File Transfer Protocol) communicationsbased on the switch state. Protocol back-end logic 158-1 to 158-N, asappropriate, utilize such toggle state information to selectivelygenerate the pass/fail signals for the applicable protocols. Forexample, when the toggle switch is enabled, which is the default mode inmost FTP client applications, it may send a signal to the internal FTPserver to open a TCP connection to the client. Front-end logic 160-1monitors the network traffic for data from the internal network, PORTcommand, source port number (greater than 1024) and destination portnumber (equal to 21). When this information is matched, front-end logic160-1 requests state register controller 155 to store both the PORTcommand IP address and the port number as the destination end and thedestination IP address, as well as store port 20 as the source end of afuture communication packet. (In other embodiments, additional checksmay be conducted to ensure the active connection IP address is the sameas the current source IP address.) When back-end logic 158-1 recognizesthe storage request, it waits for the allocated state register in stateregisters 156 to be sent by register controller 155. For example, whenthe state register number is set as register #1, then it records thatregister #1 is dedicated to allowing active FTP connections through thedata protection system. Back-end logic 158-1 then waits for register #1to signify that the current packet matches its stored state. Whenback-end logic 158-1 recognizes that the three-way TCP handshake hasbeen completed for the new connection, it will notify front-end logic160-1 to delete the state register. If the state register is junked,then back-end logic 158-1 records that register #1 is no longerdedicated to active FTP connections, allowing register controller 155 toallocate that register to a different protocol or network connection inthe future.

FIG. 9 illustrates a preferred physical implementation of one embodimentof the present invention. In this embodiment, one external networkconnection and one internal network connection are provided. It will beappreciated that the components of FIG. 9 can be altered to implement,for example, bastion network connections, multiple internal networkconnections, etc.

The Internet connection, for example, via a cable modem, DSL router orother network interface, preferably is coupled with a physical cable toconnector 168, which may be an RJ-45 connector. The signals received viaconnector 168 are coupled to and from PHY 170, which provides thephysical interface for the data signals received from, or coupled to,the external network. Signals are coupled between PHY 170 and PLD 162,and signals are coupled between PLD 162 and PHY 172, which couplessignals between connector 174 (which again may be an RJ-45 connector).The connection to the internal network may be made through connector174.

In the preferred embodiment, PLD 162 implements the various levels offiltering as previously described. PLD 162 provides logic/hardwarebased, parallel filtering rules logic/engines, which make a decisionabout whether the packet should be allowed to pass or fail prior to thetime that the packet is passed on by the repeater core portion of PLD162 (as described elsewhere herein). The logic of PLD 162 to implementthe filtering rules is programmed/loaded by controller 164, which may bea RISC CPU, such as a MIPS, ARM, SuperH-type RISC microprocessor, or thelike. The PLD code preferably is stored in memory 166, which preferablyis a reprogrammable, non-volatile memory, such as FLASH or EPROM. Inthis manner, the PLD code may be updated by reprogramming memory 166,and the updated PLD code may then be programmed/loaded in to PLD 162under control of processor 164.

FIG. 9 also illustrates the use of LEDs 177, 178 and 179 to providevisual feedback of the data protection system status. In accordance withthe present invention, the use of such displays or light sources may beused to convey various types of information to the user. For example,LEDs 177 and 179 may be provided to indicate that PHYs 170 and 172 aredetecting an active network connection (and thus provide an indicationthat the network connections are present and functioning properly). LED178 preferably provides alarm type information. For example, LED 178 maybe provided in the form of a multi-color LED, which may provide a firstcolored light (e.g., yellow) if the data protection system has rejectedone or more packets (thereby indicating that the system may be detectingan attack), and which may provide a second colored light (e.g., red) ifthe data protection system is continually rejecting packets or rejectingpackets at a high rate (thereby indicating that the system is likelyunder attack). Such visual indicators, which may be coupled with audiofeedback as described elsewhere herein, serve to inform the user thatthe user's computer or network may be under attack, thereby enabling theuser to take further action, such as disconnecting from the network.

It should be noted that such visual feedback may be implemented in avariety of forms. In addition to multi-colored or multiple LEDs, otherlights sources or other displays, a single LED could be provided withthe LED blinking at a rate that indicates the level of severity aspredicted by the data protection system. For example, if no packets havebeen rejected, then the LED may be in an off or safe (e.g., green)state. If packets have been rejected but not on a continual or high ratebasis, then the LED (e.g., red) may be controlled to blink on and off ata first, preferably lower speed rate. If packets are being rejected on acontinual or high rate basis (or otherwise in a manner that that systemrecognizes as suspect), then the LED may be controlled to blink on andoff at a second, preferably higher speed rate. Thus, the LED blink ratedesirably may be controlled to blink at a rate that corresponds to thelevel of severity of the security threat that is determined by the dataprotection system. Optionally coupled with audio feedback, such visualindicators may provide the user with alarm and status information in asimple and intuitive manner.

As further illustrated in the preferred embodiments of FIG. 9, a varietyof physical switches or toggles 176, 180, 181 and 182 may be coupled toPLD 162 or controller 164. As illustrated by update button 176, togglesmay be used to control the updating of the PLD code (for instance, toreconfigure or update the system, providing updated filteringalgorithms). As illustrated by buttons 180 and 181, toggles may be usedto selectively activate/deactivate filtering steps based on whether aprotected computer is enabled to operate in a server mode or client mode(the state of such toggles preferably being used to control filteringdecisions made within the filtering logic). As illustrated by resetbutton 182, toggles may also be used to control the reset of the dataprotection system (for example, to cause the PLD code to be re-loaded,as when the system enters an inoperable state caused by power supplyirregularities or other unusual circumstances). The use of such physicalswitches/toggles allows the data protection system to be controlled in astraightforward manner, simplifying the user operability of embodimentsof the present invention.

With reference to FIG. 9, additional details of preferred update programand protocols will now be described. The data protection system may becontrolled to operate in an update mode by pressing update button ortoggle 176, which preferably is provided on an external case (furtherdescribed in FIG. 10 below). In accordance with preferred embodiments,during the interval when the update button is pressed by the user andthe update either completes or is canceled by the user, the dataprotection system will not forward any packets (i.e., filtering is notactive, so packet transmission is blocked). The user may then run anupdate program (which may be a browser-based or stand-alone application)from an internal host computer.

In the illustrated embodiment, it is assumed that the user previouslydownloaded a system update or is downloading an update through abrowser. The update program preferably breaks the update into 1K sizepackets and forwards them, using a limited broadcast destination address(for example, 255.255.255.255). The source and destination ports are setto a predetermined value, such as 1 (1-4 are currently unassignedaccording to RFC 1010), and an IP option is set in the IP header. Theprogram data preferably is preceded by the system update header that hasthe following structure in the illustrated embodiment: II) (1)/count(1)/bit length (2). The numbers in parentheses represent the field sizein bytes. The ID for the entire transaction remains unchanged, exceptfor the count field increments for each packet. In a preferredembodiment, the data protection system may receive the packets in orderand perform several checks, such as ensuring the ID and count fields arecorrect, verifying the UDP checksum, and storing the configuration datain non-volatile memory. Preferably, these checks may be controlled bycontroller 164. Thereafter, the updated PLD code may be loaded into thePLD, with the filtering operations being based on this updated code.

As a result of the parallel filter rules evaluation as previouslydescribed, packets do not need to be buffered, except, for example, tocreate octets that facilitate determining protocol elements. (As isknown, data needs to be combined into 8-bit, 16-bit, or 32-bit wordsbecause header and packet data often exist in these sizes or straddle a4-bit nibble boundary.) Instead of buffering each packet, the dataprotection system generates another distinct data packet or chunk. Thisprocess of packet generation occurs while a plurality of filtering rulesare applied in real time and in parallel, producing improved dataprotection systems and methods.

FIG. 10 illustrates a preferred embodiment of an exemplary design of anexternal case of a data protection system in accordance with the presentinvention (wherein all switches, lights, ports, etc., and other physicalarrangements are exemplary). For example, external case 184 may be amolded plastic box in the shape of a “U” or folded tube as illustrated.The exemplary features of this external case may include ports, buttons(or toggle switches), LEDs, a removable logo disk, and a power supplyconnector. Home port 186, Internet port 188, and power supply connector190 are preferably located on the same side of external case 184 withpower supply connector 190 set between the two ports. Home port 186connects to the internal network via cable 192; Internet port 188connects to the external network via cable 194. Power supply connector190 is coupled to an external DC power supply via cable 193. The PHY ofeach port preferably is coupled to a link LED as previously described:home port 186 is coupled to internal link LED 196; and Internet port 188is coupled to external link LED 198. The link LEDs are thus coupled tothe internal and external PHYs, respectively, and serve to indicatewhether the PHYs have detected a network connection.

In the preferred embodiment, on side of the U-shaped case, server modebutton 200 is provided to allow the user to selectively enablefiltering, based on whether the internal computer is operating in servermode. Thus, the state of server mode button 200 may be used toselectively control filtering decisions based on whether internalcomputers will be operating in a server mode, etc. Server mode button200 preferably includes server mode LED 202. When illuminated (e.g.,green), server mode LED 202 indicates that the internal computers areenabled to operate in a server mode and the filtering decisions will becontrolled accordingly. Server mode button 200 and server mode LED 202are coupled to PLD 162, as described in FIG. 9.

In the preferred embodiment, parallel to server mode button 200 on theexternal side of the case is alert button 204, which contains alert LED206. Alert LED 206 is coupled to alarm controller 53 (as illustrated inFIG. 3), which preferably is implemented as a part of PLD 162 (asillustrated in FIG. 9). Alert LED 206 may contain a single ormulti-colored LED, which, when illuminated, indicates the dataprotection system is under attack and is rejecting suspect packets. Thedata protection system preferably registers the frequency of attacks andsends signals to alert LED 206 based on such information. In a preferredembodiment, alert LED 206 may contain a LED (e.g., red), which remainsconsistently illuminated during irregular attacks or blinks at regularintervals under heavy attack. In another preferred embodiment, alert LED206 may contain a multi-colored LED, which similarly indicates when thesystem is under attack and is rejecting packets. With a multi-coloredLED, the increase in frequency or intervals of attacks may be indicatedby a change in color: for example, green (indicating no registeredattacks by suspect packets) to yellow (indicating a few irregularattacks) to red (indicating more frequent attacks) to blinking red(indicating a heavy attack). The alert alarm may be reset by depressingalert button 204.

In a preferred embodiment, speaker 55 (or some form of audio transducer)may be coupled to alarm controller 53 to also indicate the presence orseverity of attacks (as described in connection with FIG. 3). Forexample, when the data protection system is under heavy attack and alertLED 206 is blinking (e.g., red), an alarm signal may be transmitted tospeaker 55 to emit audio information to indicate a suspected severeattack or emergency. Alarm-type information may also be coupled to theinternal network (such as via a UDP packet, as described elsewhereherein), and thus transmit alarm information over the network to asoftware interface on the desktop. In other embodiments of the dataprotection system, an array of different features, including buttons,LEDs, alarms, and graphical user interfaces, may be utilized to indicatethe class, frequency and severity of attacks on the system.

Adjacent to alert button 204 on the external network side of the casepreferably is protection button 208, which is coupled to protection-onLED 212 and protection-off LED 214. When protection button 208 is set inthe “on” position, protection-on LED 212 preferably illuminates (e.g.,red) and the filtering system is enabled; when protection button 208 isset in the “off” position, protection-off LED 214 preferably illuminates(e.g., yellow) and the filtering system is disabled.

Still referring to FIG. 10, power LED 210 is coupled in a manner toindicate power is being provided via power supply connector 190. Whenpower LED 210 is illuminated (e.g., green), it indicates the powersupply is providing power to data protection system 1. It should benoted that in the illustrated embodiment, the present invention does notrequire an on/off switch for the power supply because the system isdesigned to be enabled once a DC power supply is provided. As previouslydescribed, reset button 182 is coupled to controller 164 and may be usedto initiate loading or re-loading of the PLD code.

Adjacent to reset button 182 is update button 176, which is coupled toupdate-enabled LED 218 and update-failed LED 220, as well as PLD 162 (asillustrated in FIG. 9). As previously described, an update programpreferably is utilized to update the logic programming and rules tables.Preferably, after pressing update button 176, data protection system 1is automatically restarted, causing the new PLD code to load. The loadversion bit preferably will be set in the flash configuration header,which causes the system to load using the new program file. In apreferred embodiment, update-enabled LED 218 will illuminate (e.g.green) to indicate data protection system 1 is ready to receive the newupdated programming. After the update begins, the system may continuallyflash update-enabled LED 218 until the successful completion of theupdate; LED 218 is extinguished upon successful completion of thisprocess. However, if an update is incomplete and fails to occur,update-failed LED 220 may illuminate (e.g. red) and blink. The userextinguishes LED 220 by pressing the update button a second time. Ifpossible, data protection system 1 may generate a UDP packet to informthe internal client of the reason for the failure. As an additionalexample, if the system contains an LCD, it may display an error code. Itshould be noted that data protection system 1 will continue to filterpackets after update-failed LED 220 is extinguished. LED 216 ispreferably provided to illuminate when the system is operating andfiltering packets in the manner described.

In addition to the various toggles on the present invention, a removablelogo disk 222 may be located on a preferred embodiment of the case. Thisremovable disk may include a company logo, registered trademark, and/orother copyrighted material that may be valuable for branding andmarketing the data protection system under a separate wholesaler. Thedisk is thus removable and replaceable for a variety of brandingpurposes.

In an alternate embodiment, relax button 224 may be implemented to allownetwork traffic to pass through non-stateful rules designed for eachprotocol. To prevent a stateful to non-stateful transition fromoccurring without protection, the data protection system may wait for astate register to open, initiate a timer, and record protocolcommunication data in the state registers (as illustrated in FIG. 8),while relying on the static rules. Three-position relax button 224 maypreferably include a variety of features for timer positions, protocolcommunication data, stateful rules registers information, and otherrules-based filtering functions.

In other embodiments, different designs may be used in accordance withthe present invention, incorporating various buttons, LEDs, ports,cables, slots, connectors, plug-ins, speakers, and other audiotransducers, which in turn may be embodied in a variety of external caseshapes, as may be necessary.

FIGS. 11 and 12 are flow diagrams illustrating examples of “SYN flood”protection in accordance with preferred embodiments of the presentinvention. Such SYN flood protection is optionally provided as anadditional computer protection mechanism in accordance with certainpreferred embodiments.

As is known in the art, SYN flood is a common type of “Denial ofService” attack, in which a target host is flooded with TCP connectionrequests. In the process of exchanging data in a three-way handshake,source addresses and source TCP ports of various connection requestpackets are random or missing. In a three-way handshake, the systemregisters a request from an IP address, then sends a response to thataddress based on its source, and waits for the reply from that address.

As illustrated in FIG. 11, data protection system 1 waits for a packetfrom external PHY 14 (as illustrated in FIG. 2) at step 224. When thesystem receives a packet from the external PHY, it compares the IPaddress and ports to the flood list entries at step 226, then proceedsto step 228. At step 228, the system determines whether the packet typeis TCP, the ACK bit is set, and the packet matches an entry in the floodlist. If this criteria are met, then the system proceeds to step 230,where the packet is removed from the flood list. If the packet isremoved from the flood list, then the system returns to step 224 andwaits for the next packet from the external PHY. Otherwise, if thecriteria at step 228 are not met, then the system proceeds to step 232,where the system determines whether the packet type is TCP, the SYN bitis set and the ACK bit is not set. If the criteria at step 232 are met,then the system proceeds to step 234; otherwise, the system returns tostep 224. At step 234, the system determines if the flood list is fulland if the client has reached the maximum connection requests. If theflood list is not full, then the system returns to step 224 to wait formore packets from the external PHY. However, if the flood list is fullat step 234, then the system proceeds to step 236, where the packet isjunked and the system returns to step 224.

As illustrated in FIG. 12, data protection system 1 also waits for apacket from internal PHY 18 (as illustrated in FIG. 2) at step 238. Whenthe system receives a packet from the internal PHY, it accesses theflood list location and writes the bits into the list, swapping ACK bitsas well as MAC, IP and port addresses. The system then proceeds to step242, where it determines if the packet type is TCP and whether the SYNand ACK bits are set. If the criteria at step 242 are met, then thesystem proceeds to step 244; if not, then the system returns to step 238and waits for another packet from the internal PHY. At step 244, the SYNflag is unset and number 1 is added to the new ACK number. The systemthen proceeds to step 246, where it determines if the flood list isfull. If the flood list at step 246 is full, then the Reset flag is set,the checksums for TCP, IP and Ethernet protocols are recalculated, andthe Reset packet is transmitted. The system then returns to step 238.However, if the flood list at step 246 is not full, then the systemproceeds to step 248, where the checksums for TCP, IP and Ethernetprotocols are recalculated and the ACK packet is transmitted. The systemthen proceeds to step 252, where the recalculated packet is added to theflood list and the system returns to step 238, where it waits foranother packet from the internal network.

In accordance with the present invention, SYN flood protection asdescribed does not require either an IP or MAC address. The dataprotection system uses the destination MAC address as the sourceEthernet address when framing the response packet that completes the TCPthree-way handshake. In all cases, when forming the new packet, thesource and destination header information is swapped, so that the sourceIP address and port become the destination IP address and port. Itshould be appreciated that SYN flood protection, as preferablyimplemented by the system, does not buffer the incoming packet, butbuilds the TCP response packet in real time. The new TCP packet isplaced in a queue for transmission at the earliest time possible basedon the rules dictated by the link level protocol.

As illustrated in FIG. 13, in order to keep the flood lists from fillingup with stale entries, the data protection system must free up stateregisters when the protocol information is not accessed within specifictime frames, such as when a three-way handshake is initiated by a clientbut the transaction is not closed. After the system receives a packet,it waits for one second at step 254, then proceeds to step 256, wherethe packet is checked against each flood list entry and passed to step258. At step 258, the system checks for stale entries (and garbagecollection) in the flood lists and proceeds to step 260, where itdetermines if time has expired. If time has expired at step 260, thenthe packet proceeds to step 262; if not, then the system returns to step256 to check each flood entry list again. At step 262, the system unsetsthe ACK bit and sets the Reset flag, adds 1 to the sequence number,recalculating the checksums, and then recalculates the checksums forTCP, IP, and Ethernet protocols. The system proceeds to step 264, wherethe Reset packet is transmitted; it then proceeds to step 266 andremoves the packet from the flood list. The system then returns to step256. It should be noted that if time expires for the request, then thesystem sends the Reset flag, terminating the connection.

With reference to FIGS. 14-24, preferred embodiments of the presentinvention directed to PNUT-type command protocols, and exemplary methodsand systems for utilizing such protocols, will now be described. Again,it should be understood that PNUT-type protocols in accordance with thepresent invention may desirably be utilized to update the configurationof PLD-based devices connected to a network, although the presentinvention is not limited to updating such PLD-based devices but moregenerally may be used to transmit to and/or receive from such PLD-baseddevices commands or other information. A PNUT-type protocol inaccordance with preferred embodiments is a IMP-based networkcommunication protocol. In a preferred embodiment of the presentinvention, a PNUT update station provides configuration options forusers to change the security protocols and services of a PLD-baseddevice (exemplary security-type devices are described elsewhere herein,although it should be understood that a PNUT-type protocol may be usedfor a variety of other devices that are not security-type devices,etc.).

FIG. 14 is a block diagram illustrating an exemplary networkconfiguration for updating a PLD-based device or appliance via anetwork. In accordance with the present invention, to update theprotocols of PNUT-enabled device 268 (which may be a security-typedevice as described elsewhere herein or other type of device), the userruns browser-type application 276 on PNUT server 272, which is coupledto PNUT-enabled device 268 via network 270 as well as other networkapplications 278. PNUT-enabled device 268 preferably is a hardware-baseddevice, utilizing an FPGA, CPLD, ASIC, controller, etc. PNUT server 272preferably utilizes a highly concurrent, robust server framework basedon a personal computer, workstation or other computing system thatdispatches PNUT commands and data to the appropriate command handler inPNUT-enabled device 268. PNUT-enabled device 268, a preferred example ofwhich is data protection system 1 described earlier, initiates a sessionwith update station 274, which may be provided at one of a plurality offile locations on PNUT server 272. Update station 274 preferablyconsists of or includes a personal computer, workstation or othercomputing system and transmits data packets automatically without userinteraction via a PNUT communication protocol (described in greaterdetail hereinafter). Update station 274 also preferably provides theuser with update procedures and configuration options (which are furtherdescribed below). In general, browser 276, update station 274 and PNUTserver 272 provide a computing-type environment that may expedientlyinteract with a user and transmit and receive PNUT-type packets inaccordance with a PNUT-type protocol as described herein.

FIG. 15 illustrates the transfer of PNUT-type commands in an exemplarynetwork configuration. PNUT-type commands for each PNUT-enabled devicepreferably begin with the device ID or serial number, which identifiesthe PNUT-enabled device, and the op code for the particular command.Since the device ID of a PNUT-enabled device is unique and independentof a protocol address (such as an IP address), the order of the PNUTcommand data is critical to PNUT protocols in accordance with preferredembodiments of the present invention. In an exemplary embodiment,PNUT-enabled device 268, such as data protection system 1, preferablysends ID command 280 to update station 274, which may serve the purposeof providing information identifying PNUT-enabled device 268. Updatestation 274 preferably responds by sending get configuration command 282to PNUT-enabled device 268, which preferably is a request forconfiguration data from PNUT-enabled device 268. PNUT-enabled device 268then preferably transmits its configuration data in the form ofconfiguration data command 284 to update station 274, which preferablyresponds (if the configuration data was correctly received and processedby update station 274) by sending processed command 286 to PNUT-enableddevice 268. In accordance with preferred embodiments, such configurationdata as illustrated in FIG. 15 preferably provides sufficientinformation so that update station 274 may determine the commandprotocol format/definition to which this particular PNUT-enabled deviceis responsive. Thus, as will described in greater detail hereinafter, ineffect PNUT-enabled device identifies itself to update station 274 andalso “tells” the update station the command language (command formats,protocols, etc.) that the update station may use to communicate withthis particular PNUT-enabled device (other PNUT-enabled devices, ingeneral, may have a different set of commands/command formats orprotocols to which they are responsive, etc.).

It should be noted that PNUT-enabled device 268 desirably may wait apredetermined or other amount of time, such as 3 seconds, for aprocessed command packet from update station 274 in order to confirmthat the configuration data had been correctly received by updatestation 274. If PNUT-enabled device 268 does not receive a processedcommand packet from update station 274 in the predetermined or othertime frame, then PNUT-enabled device 268 preferably will retransmitconfiguration data (e.g., configuration data command 288) to updatestation 274 until the command is acknowledged with a process command(e.g., processed command 290) or other commands (such as an errorcommand, terminate command, etc.). It also should be noted that thesequence of configuration data command 284, 288, etc., each followed bya processed command 286, 290, etc., may be repeated a plurality of timesin order for the desired amount of configuration data to be transmittedin a plurality of packets, thereby reducing the size of the packets,such as to avoid fragmentation, etc. In accordance with preferredembodiments, the packets exchanged between the PNUT-enabled device andthe PNUT server, etc., divide the data to be transmitted into packets ofa size so that the packets will traverse the network(s) without beingfragmented. Thus, as the sequence of configuration data commands may berepeated a plurality of times, PNUT-enabled devices (e.g., containingFPGAs, PLDs, etc.) may also be partially or completely reconfigured.

In preferred embodiments, once correct receipt of the configuration datahas been confirmed (i.e., the update station knows the command formatsand protocol that may be used to communicate with the PNUT-enableddevice), a user who is performing the update (in this example) is thennotified to initiate the update of PNUT-enabled device 268 via updateinput 316, such as a GUI button, in browser 276. In alternateembodiments, update input 316 may be a hardware switch activation onPNUT-enabled device 268 (see, e.g., update button 176 of data protectionsystem 1 as illustrated in FIG. 9). What is important is that the updateprocedure preferably has a further user input in order to have theupdate procedure initiated only in response to a valid user commandinput, and after complete exchange and receipt of all appropriateconfiguration or other data.

The configuration data initially sent by PNUT-enabled device 268, inpreferred embodiments, includes information that indicates or specifiesthe PNUT commands, and preferably the format/protocol of those commands,that are supported or recognized by PNUT-enabled device 268. Thus,update station 274, upon receipt of the configuration information fromPNUT-enabled device 268, will know precisely which commands and commandprotocol(s) may be used to communicate with PNUT-enabled device 268. Inthe case where there are a plurality of PNUT-enabled devices 268 on thenetwork, which may be installed at different points in time and supportdifferent PNUT commands (for example, see the core and custom commandsdiscussed elsewhere herein), this transmission of command and commandformat/protocol information ensures that update station 274 knows theprecise commands for the particular PNUT-enabled device with which it isgoing to communicate update or other information.

As further illustrated in FIG. 15, after update station 274 confirmsreceipt of the configuration data from PNUT-enabled device 268 viaprocess command 286 or 290, and after receipt of update input 316,update station 274 then preferably transmits start update command 292 toPNUT-enabled device 268 to begin an update session. Upon receipt ofstart update command 292, PNUT-enabled device 268 preferably responds bysending start update command 294 to update station 274 to acknowledgereceipt of start update command 292 and the beginning of the updatesession. Update station 274 then preferably transmits update datacommand 296 (which preferably includes data for updating theconfiguration of PNUT-enabled device 268, such as data that may be usedto reconfigure the FPGA or other PLD-type device within the PLD enableddevice 268) to PNUT-enabled device 268, which upon proper receiptresponds with received command 298, thereby acknowledging correctreceipt of update data command 296. PNUT-enabled device then preferablywrites the new command data to flash or other non-volatile memory (e.g.,EEPROM, battery-backed-up RAM, etc.) within PNUT-enabled device 268 (asillustrated by step 318), and preferably after completion of commanddata write acknowledges completion of these operations by transmittingprocessed command 300 to update station 274. In preferred embodiments,after receipt of an update data packet, PNUT-enabled device 268preferably stores the update data in flash or other non-volatile memory(step 318), thus retaining the update data even in the event of powerfailure or other service interruption. The partial set of stored data ispreferably coded as incomplete or not valid, such as by setting of anappropriate flag, so that PNUT-enabled device 268 knows that only partof the update data has been received. It is important that theconfiguration of PNUT-enabled device 268 not be changed until thecomplete set of updated configuration data has been received and stored,and at which time the flag may be set to indicate that the entireupdated configuration data has been properly received (see the saveconfiguration step 322, discussed below).

In a preferred embodiment of the present invention, if update station274 does not receive a processed command packet from PNUT-enabled device268 in a predetermined or other time frame, then update station 274preferably will retransmit an update command (e.g., update data command296, 302, etc.) to PNUT-enabled device 268 until the command isacknowledged with a received command (e.g., received command 298, 304,etc.). After each of the update packets have been sent and received, acommand confirms that the update packet has been received and processedby PNUT-enabled device 268 (e.g., processed command 300, 306, etc.).PNUT-enabled device 268 preferably then writes the new command data toflash or other preferably non-volatile storage (as illustrated in step318, 320, etc.), as previously described. Update station 274 may wait apredetermined or other amount of time, such as 3 seconds, for a receivedcommand packet from PNUT-enabled device 268 before resending the priorupdate data command, etc.

It should also be noted that the sequence of PNUT-type commands (such asreceipt of packet acknowledgement, acknowledgement of packet processed,etc.) may be repeated a plurality of times in order to provide completeconfiguration data or other data from update station 274 to PNUT-enableddevice 268 in the event that such data exceeds the size of what isdesired to be transmitted in a single packet. For example, newconfiguration data may be sent via multiple N packets, with PNUT-enableddevice 268 acknowledging receipt of each packet with a received-typecommand as illustrated in FIG. 15. It should also be noted that, inpreferred embodiments, data from update data commands 296, 302, etc. arewritten to flash or other non-volatile memory/storage after receipt,which enables such packets to be retained even in the event ofdisruption of the update data transmission, such as a power failure orthe like.

With reference to FIG. 15, if PNUT-enabled device 268 has finishedprocessing the new configuration data and transmitted a processedcommand 300, 306, etc. to update station 274, then update station 274preferably (but optionally) sends update complete command 308 toPNUT-enabled device 268, which informs PNUT-enabled device 268 that allof the data command packets have been sent (complete command 308 isoptional in that a first data command packet could inform PNUT-enableddevice 268 of the number of packets to follow, or PNUT-enabled device268 could know in advance that a predetermined number of data commandpackets are to follow, etc.). As update, configuration or other data ispreferably being written to flash or other memory after receipt, thedata preferably is stored prior to receipt of update complete command308. At step 322, PNUT-enabled device 268 preferably analyzes the data,which also may include a data decompression and/or decryption (if theconfiguration data was originally compressed and/or encrypted, etc.), toensure that it is complete and appears valid, such as by a checksumcheck or the like. If the total set of update data appears complete,then PNUT-enabled device 268 preferably sets a bit or flag thatindicates that the data is valid and saved in flash or othernon-volatile storage/memory (as indicated by save configuration step322), and thus may be used to update or reconfigure PNUT-enabled device268. This provides an additional level of protection, in that actualreconfiguration of PNUT-enabled device 268 cannot be performed until allof the update data has been received and validated (a reconfigurationbased on data that has not been validated to ensure accuracy andcompleteness in general could be expected to provide unpredictable orundesired results, etc.). Thereafter, PNUT-enabled device 268 preferablyresponds by sending update complete command 310 to update station 274 toacknowledge that all of the update data has been received, validated andstored as valid data.

Upon receipt of update complete command 310 from PNUT-enabled device 268in accordance with the present invention, update station 274 thenpreferably transmits terminate command 312 to end the update session. Toacknowledge the ending of the update session, PNUT-enabled device 268preferably sends terminate command 314 to update station 274. Duringthis update session, PNUT-enabled device 268 preferably enters a modewhereby it loads the new configuration (as illustrated in step 324,which may be a reloading of configuration data for the PLD, FPGA, etc.),and thereafter may operate in accordance with the updated configuration.In other embodiments, PNUT-enabled device 268 may send another commandthat confirms that the reloading of the PLD has been successfullycompleted, or alternatively terminate command 314 could be sent afterPLD reload to confirm that the configuration of the PLD has beensuccessfully updated with new configuration data. It also should benoted that, in alternative embodiments, the PLD or FPGA (consisting ofone or a plurality of PLD or FPGA devices) utilizes a plurality of logicareas, one or more of which may be updated with the new configurationdata. Thus, for example, a first logic area within the PLD/FPGA may beoperating such as to carry out the PNUT-type command exchange, while asecond logic area may be updated with the new configuration data (thus,the PLD or FPGA may be considered to have been partially reconfigured inaccordance with the present invention).

FIG. 16 is a diagram illustrating a preferably PLD-based device(PNUT-enabled device 268) implementing PNUT command protocols over anetwork in accordance with a preferred embodiment. PNUT-enabled device268 is preferably connected to PNUT server 272 via network 270. In apreferred embodiment of the present invention, logic within PNUT-enableddevice 268 includes the following components:

-   -   1. MAC receiver 326 and MAC transmitter 334 are logic cores        dedicated to receiving and transmitting packets, respectively,        for LAN networks, such as Ethernet (10Base-T), Fast Ethernet        (100Base-T), Gigabit Ethernet, Wireless Ethernet, and Bluetooth        protocols (in general, a variety of networks may be used in        addition to the foregoing, and may also include optical,        infrared, IEEE 80211b, IEEE 802.15, token ring, etc.). It should        be noted that MAC receiver 326 and MAC transmitter 334 (and        associated logic, etc.) preferably are separated, so that        particular PNUT-enabled device 268 may contain receive only,        transmit only, or receive/transmit capabilities, as dictated by        the needs of the particular application.    -   2. Command dispatcher 328 filters network traffic from MAC        receiver 326 and identifies PNUT commands. In response to        receiving what is identified as a PNUT command, command        dispatcher 328 dispatches command data corresponding to the        received PNUT command via receive command bus 330 to the        appropriate PNUT command handlers (discussed below). Command        dispatcher 328 preferably serves the functions of recognizing        commands and providing command data for processing by the        appropriate command handlers.    -   3. Receive command bus 330 and transmit command bus 338 are        bus-type structures through which data derived from the PNUT        command/data packets, which may be IP, UDP or other packets, are        transferred.    -   4. Command handlers (i.e., logic for processing commands) for        core commands 332 and 340 and custom commands 342 and 344        determine how the commands are to be executed (i.e., what        operations within PNUT-enabled device 268 or update station 274        are to be performed in response to particular commands). As        illustrated in PNUT-enabled device 268, the command handlers may        be separated into receive only, transmit only, or        receive/transmit commands. Thus, particular devices may        implement either or both types of handlers, etc. (It should be        noted that command handlers may also be implemented in a common        manner, such as via command handler software application 348 on        update station 274 and server 272.) Command handlers for core        commands 332 and 340 preferably include logic to implement a        plurality of core commands, such as ID command, get        configuration command, send configuration command, received        command, processed command, terminate command, error command,        etc., which are commands that preferably are shared by a        plurality of PNUT-enabled devices. Custom commands 342 and 344        preferably include a plurality of custom commands, such as start        update command, update data command, and update complete        command, which are preferably utilized by one or a subset of the        total PNUT-enabled devices on the network. Command handlers for        custom commands 342 and 344 may implement customized commands        for a variety of functions, such as filtering, updating,        logging, polling, testing, debugging, and monitoring. For        example, PNUT custom commands for data protection system 1 may        include DNS filter command, FTP filter command, SYN flood        command, etc. As will be appreciated, with the ability to        support a core set of commands and custom commands, the logic        requirements for various PNUT-enabled devices may be reduced, as        the smaller set of core commands that are likely to be used by a        large number of devices may be more widely implemented, while        logic for generally more specialized custom commands may be        implemented only on the particular devices that are designed to        utilize those custom commands.    -   5. Transmitter controller 336 preferably controls the access to        both MAC transmitter 334 and transmit command bus 338, and        serves to generate all network packets that are to be        transmitted from PNUT-enabled device 268.

As illustrated in FIG. 16, in a preferred embodiment of the presentinvention, PNUT-enabled device 268, which may be a PLD-based or otherlogic-based device, is coupled with a physical cable to network 270,such as a LAN or WAN, which is connected via a similar physical cable toserver PNUT 272. Update station 274 on server 272 sends PNUT datapackets across network 270 to PNUT-enabled device 268. MAC receiver 326in PNUT-enabled device 268 and coupled to network 270 receives datapackets and transmits data from the received packet to commanddispatcher 328. Command dispatcher 328 preferably filters data packetsfor PNUT commands and sends the appropriate command data across receivecommand bus 330 to command handlers for core commands 332 and 340. Incertain preferred embodiments, command dispatcher 328 may also sendcommand data to command handlers for custom commands 342 and 344.Command handlers for core commands 332 and 340 determine which commandon receive command bus 330 to execute and which operations to carry outin response to the command, and, as appropriate, forward the commanddata across transmit command bus 338 to transmitter controller 336.Transmitter controller 336 preferably generates a new command packet andsends it to MAC transmitter 334, which in turn transmits the new commandpacket across network 270 destined for update station 274 on server 272.The exchange of such packets, and the operations that may be carried outin response to such packets, is described elsewhere herein.

FIG. 17 illustrates an alternate embodiment/explanation of the use ofPNUT commands with a PNUT-enabled device. In accordance with thisillustrative embodiment of the present invention, physical layerinterface or PHY 350 preferably includes a physical interface coupled tonetwork 270, a physical interface coupled to MAC receiver 326, and aphysical interface coupled to MAC transmitter 334. PHY 350 provides thephysical interface for data packets not only received from network 270and transmitted to MAC receiver 326, but also received by network 270and transmitted from MAC transmitter 334. Network MAC types that may beutilized with the present invention include, for example, Ethernet, FastEthernet, Bluetooth, Wireless Ethernet, and Gigabit Ethernet.

In a preferred embodiment of the present invention, PHY 350 sends datapackets to MAC receiver 326, which receives the packets (and preferablybuffers, checks the CRC bit, etc. of the packet in the case of Ethernet,and otherwise receives the packet in accordance with the networkprotocol of the particular implementation), and then transmits thepackets to packet parser 352. Packet parser 352 processes all incomingpackets from MAC receiver 326 and provides the packet data to commanddispatcher 328. After packet parser 352 provides the packet data fromMAC receiver 326 to command dispatcher 328, command dispatcher 328filters packet data in order to recognize PNUT commands destined forPNUT-enabled device 268. After receipt of packet data that is recognizedas a PNUT command destined for PNUT-enabled device 268, commanddispatcher 328 waits until receive command bus 330 is free, thenprovides PNUT command data/signals on receive command bus 330. Commandhandlers 356-368 in command core 370 receive the command data/signalsfrom command bus 330 and provide logic for recognizing a specificcommand to be performed (which may be by command ID number or othersignaling), receiving any command information from command dispatcher328 that may be appropriate for the particular command, and alsoproviding logic for initiating the operations that need to be performedfor the particular command. Command core 370 is the logic block wherecommand handlers 356-368 are implemented. It will be understood that thepresent invention is not limited to any particular logic configurationfor packet parser 352 and command dispatcher 328, etc.; what isimportant is that logic be provided for parsing the incoming packets,recognizing PNUT commands in the incoming packets, and providingappropriate command data/signals to logic that initiates and carries theoperations associated with the particular commands.

As further illustrated in FIG. 17, custom command handlers 372-378 incustom command core 380 are also implemented in preferred embodiments,allowing the user to implement customized PNUT commands for particularPNUT-enabled devices, such as previously described. Custom command core380 is coupled to receive command bus 330 and transmit command bus 338,and may be utilized to implement custom, application-specific PNUTcommands. Custom command handlers 372-378 may include, for example,start update command 372, update data command 374, connection updatecommand 376, update complete command 378, etc. As will be apparent toone skilled in the art, these are exemplary custom commands, andalternatives, substitutions and variations of custom commands may beutilized in accordance with the present invention. In particular, customcommands for exchanging particular types of information for particularapplications may be provided with such custom commands. As an exemplarylist, particular custom commands could be used to transmit and/orreceive information such as: configuration information; bar code data;information indicative of a weight of one or more objects or material;information indicative of temperature; information indicative ofmovement or position; information indicative of a size of one or moreobjects or material; information indicative of a presence or amount oflight; information indicative of pressure; information indicative offriction; information indicative of elevation; information indicative ofthickness; information indicative of reflectivity; informationindicative of wind; information indicative of a degree of moisturecontent; camera or other image data; information indicative of theoptical characteristics of an object or material; information indicativeof success or failure of an operation; information derived from amagnetic card reader; and information indicative of a status conditionof an industrial process.

In accordance with the present invention, PNUT protocols define a set ofcore commands that are practical and useful for a wide range ofapplications, such as starting and stopping PNUT communication sessions,for reporting the occurrence of errors, for confirming the reception ofdata, and for confirming the completion of data processing, etc. PNUTcommands preferably contain an identification number, such as an IDnumber, serial number, or a shared default ID number. For example, theshared default ID number, which could be an identification number sharedby all PNUT-enabled devices (for example on the particular network), maybe all zeros or some other predetermined number, and thus provide a wayto poll or ping the entire network for all PNUT-enabled devices orbroadcast particular commands. Particular commands may include, forexample, ID command, terminate command, packet received command, packetprocessed command, error command, get configuration command, sendconfiguration command, etc. However, commands that are addressed toPNUT-enabled device 268 but not handled by one of the command handlerspreferably will cause command dispatcher 328 to return a PNUT errorcommand to the sender's address. It is important to emphasize that thePNUT identification number is independent of any networking addresses(e.g., IP address or MAC address), and thus PNUT-type commands may beimplemented across a plurality of networks.

In a preferred embodiment of the present invention, command handlers356-368 and custom command handlers 372-378 receive command data fromreceive command bus 330, and, as appropriate (such as for responding toparticular commands), transmit commands across transmit command bus 338to transmitter controller 336. Transmitter controller 336 preferablyallocates access to network MAC transmitter 334 through transmit commandbus 338 and packet generator 354, and arbitrates when transmit commandbus 338 is accessible, so that command handlers 356-368 can send commanddata across transmit command bus 338 to transmitter controller 336.Transmitter controller 336 may implement a plurality of priority schemesfor arbitrating bus control, such as round robin, process priorityscheduling, etc. Transmitter controller 336 then prepares the packet forpacket generator 354, which preferably receives the command data andgenerates a new legal packet based on the command data and encapsulatedin, for example, IP or UDP protocols. Thus, packet generator 354provides transmit commands which specify message data by generating thestandard protocol for the particular network and PNUT packet headers.Packet generator 354 then preferably transmits the new packet to MACtransmitter 334, which sends the new packet to PHY 350 and onto network270.

With reference to FIG. 17, controller interface 382 preferably providesan interface to a controller within PNUT-enabled device 268. Controllerinterface 382 is coupled to command core 370 and custom command core380, and exchanges data, commands or signal inputs, as appropriate, withvarious of the command handlers within command core 370 and customcommand core 380. As with the embodiment described in connection withFIG. 16, and with data protection system 1 (such as described inconnection with FIG. 9), for example, update data may be received,receipt acknowledged, stored in flash or other non-volatile memory, etc.Controller interface 382, for example, may be coupled to controller 164of FIG. 9, which may then control the writing of data to non-volatilememory 166, and, after receipt of the entire set of update data, controlthe updating of the configuration of PLD 162, etc. The use of controllerinterface 382 to couple to a controller such as controller 164 for suchpurposes may be implemented in a conventional manner, as will beappreciated by those of skill in the art.

It should be appreciated that PNUT-type command protocols in accordancewith the present invention may be implemented with a variety ofhardware-based devices and appliances, such as cell phones, pagers,portable computers, refrigerators, freezers, etc.

FIGS. 18-20 illustrate exemplary embodiments of browser-type Gills of anupdate station that may be used to update or otherwise exchange commandsor information with a PLD-based device, such as data protection system1, in accordance with PNUT-type command protocols.

With reference to FIG. 18, in an exemplary embodiment of the presentinvention, a PNUT-enabled device, such as data protection system 1(referenced as an “X-Entry” system in FIGS. 18-20), may have itsconfiguration updated by a user operating update station 274. In apreferred embodiment, browser 276 on server 272 initiates the updatesession by opening window 384 to instruct the user on the steps thatwill be performed to update data protection system 1. Preferably, thissession is initiated without any communication with data protectionsystem 1 (i.e., data protection system 1 preferably continues filteringpackets until, for example, a physical button is pushed that puts dataprotection system 1 in an update mode, discussed further in connectionwith FIG. 19). In accordance with such preferred embodiments, forexample, FPGA or PLD logic, etc., is configured for the packet filteringoperations of data protection system 1, and thus continues providingsuch filtering functions until and unless a specific update command isprovided to data protection system 1. The preferred physical switchrequirement provides a level of security in that an external hackerwould find it impossible to circumvent the physical switch, and thus thephysical switch serves to prevent unauthorized persons from operatingdata protection system 1 in a manner to change its configuration.

Referring again to FIG. 18, for example, window 384 preferably includesupdate procedure list 386, which preferably provides a list of steps forthe update procedures (which may provide the user with a visual displayof the progress through the update procedures), and secondary window388, which preferably specifies a plurality of security or other optionsthat may be selected with check boxes 394. Window 384 also preferablyincludes update input features, such as submit button 396. The activestep in update procedure list 386 is preferably indicated by pointer390, procedure text 391 and procedure number 393, which may be displayedin a different color or colors than the other steps to convey theprogress of the update procedures. The client service/protocol optionsmay include, for example, DHCP, DNS, FTP, and IPX/SPX; server types mayinclude, for example, Telnet, FTP, web, and mail server; and additionalfiltering or other services may include, for example, Spoof, SYN flood,Denial of Service protection and logging (i.e., logging of filteringevents and security alerts or attacks on data protection system 1,etc.).

In an exemplary embodiment of the present invention, step 392 in updateprocedure list 386 preferably includes procedure text 391 and procedurenumber 393, which instruct the user to choose from the displayed optionsand press (i.e., click on) submit button 396, which (based on theselected options) initiates the generation of appropriate configurationdata in order to implement the selected options. The user preferablyselects the configuration options on browser 276 and presses submitbutton 396. After the user presses submit button 396, the next step inupdate procedure list 386 is indicated by browser 276, notifying theuser that the updated configuration data is being generated. Inpreferred embodiments of the present invention, pointer 390 moves downupdate procedure list 386 during the update process to indicate theactive step in update procedure list 386. Secondary window 388 may alsochange to include group boxes with option buttons, dialog boxes withstatus bars, pull-down menus with lists of options, etc. After submitbutton 396 has been pressed, update station 274 generates the newconfiguration data, which preferably is saved to the file system and/orstored in RAM on the update station. It should be noted that,preferably, the generated configuration data consists generally of a bitstream that may be used to configure/reconfigure the FPGA/PLD of thePNUT-enabled device. At this stage it preferably is stored as aconfiguration bit stream (and in a subsequent step will be packetizedfor transmission to PNUT-enabled device 268), although in otherembodiments it may be stored in the form of PNUT-type packets that areready for transmission to PNUT-enabled device 268.

With reference to FIG. 19, after the updated new configuration data hasbeen generated, window 384 indicates that the user is at the next stepin the procedures. For example, step 398 in update procedure list 386instructs the user to place data protection system 1 in update mode.Preferably dialog box 400 in secondary window 388 instructs the user topress update button 176 on data protection system 1 (as illustrated inFIG. 9) and dialog box 400 preferably includes blinking status bar 402and text message 404, which notes that update station 274 is waiting forthe user to press update button 176 on data protection system 1.

As illustrated in FIG. 19, update station 274 preferably requires theuser to press update button 176 on data protection system 1 (asillustrated in FIG. 9) in order to activate the update procedures. Aspreviously explained, in preferred embodiments data protection system 1continues to provide packet filtering operation until such time asupdate button 176, which preferably is a physical switch on dataprotection system 1, is activated by a user. After update button 176 ispressed, data protection system 1 switches into update mode, and inpreferred embodiments reconfigures the PLD/FPGA code to engage inPNUT-type communications. While the PLD/FPGA device (or devices)included in data protection system 1 may contain sufficient logic toimplement the packet filtering functions and the logic (receivers,parsers, dispatchers, command handlers, etc.) to engage in PNUT-typecommunications, in general this will not be the case. For example, inorder to provide the most cost effective data protection system,sufficient logic may be included in the PLD/FPGA device(s) to implementthe desired filtering operations, but not the logic for the PNUTcommunication protocol (the PNUT communication protocol in general willbe utilized when the data protection system is not filtering packets andthe PNUT communication protocol will not be needed when the dataprotection system is filtering packets, etc.). Thus, in suchembodiments, activation of the update button preferably causes dataprotection system 1 to configure itself to engage in PNUTcommunications, while preferably stopping packet filtering (and stoppingexternal packets from entering the internal network, etc.). In alternateembodiments, sufficient logic in one or more PLD/FPGA devices isincluded, such that PNUT-enabled device 268 does not need to bereconfigured in order to engage in PNUT communications, etc.

Preferably, after data protection system 1 has configured itself andotherwise entered the operation mode for engaging in PNUTcommunications, data protection system 1 preferably illuminates LED 218indicating that data protection system 1 is in an update-enabled status(illustrated in FIG. 10), and preferably transmits a data packetcontaining command data via network 270 to update station 274. Afterdata protection system 1 sends a command packet to update station 274(see, e.g., FIG. 15 for exemplary initial packet exchanges that mayoccur between a PNUT server and a PNUT-enabled device, which may serveto identify the particular PNUT-enabled device and the commandprotocol/format for the particular PNUT-enabled device, etc.), updatestation 274 receives the packet and then preferably displays window 384in order to initiate the process of transmitting the new configurationdata/bit stream to data protection system 1.

As illustrated in FIG. 20, window 384 indicates that the user is atanother step in the procedures. For example, step 406 in updateprocedure list 386 instructs the user to press update button 416 indialog box 408. Activation of button 416 preferably is required beforethe update station begins the process of transmitting the configurationdata packets/bit stream to data protection system 1. Dialog box 408preferably includes field 410, text message 412, status bar 414, updatebutton 416, and cancel button 418. With the update in process, field 410preferably displays the ID or serial number of data protection system 1.Text message 412 may also notify the user that the updating of theconfiguration of data protection system 1 is in progress. Status bar 414may also indicate the number of attempts to transfer new configurationdata, the percentage of successfully transferred data, and the estimatedtime to complete the file transfer to data protection system 1.

In a preferred embodiment of the present invention, the user preferablypresses update button 416 and update station 274 transmits packetscontaining the configuration data bit stream in an update packet op codeformat, which is followed by a single, last update packet. Upon receiptof the first packet, data protection system 1 preferably transmits asignal to update-enabled LED 218 to flash, which indicates that theupdate process is actively in process. Prior to transmission of the lastupdate packet, if the user presses cancel button 418, then updatestation 274 transmits an update cancel command to data protection system1. Update station 274 preferably transmits the update cancel command upto a predetermined number of times, such as 5 times. If the last packethas been received by data protection system 1, then data protectionsystem 1 preferably transmits a packet to update station 274 confirmingreceipt of the last packet (see FIG. 15 for an exemplary packet sequencethat may be followed). Preferably data protection system 1 thenprocesses the configuration data bit stream from the update packets,which may include a decompression, decryption, checksum check, etc., inorder to ensure that the configuration data/bit stream is validated. Ifan error is detected, then an error packet preferably is sent from dataprotection system 1 to update station 274, and preferably update-failedLED 220 is illuminated (see FIG. 10). If no error is detected, then dataprotection system 1 preferably proceeds to load the new configurationdata/bit stream, and upon “bootup” proceeds to operate in accordancewith the new configuration. Preferably, ready LED 216 is illuminated,indicating that data protection system 1 is operating properly inaccordance with the new configuration and thus indicates that the updateprocedure has been successfully concluded.

In alternate embodiments of window 384 of update station 274, otherconventional visual, tactile and audio controls may be implemented forthe GUI design in accordance with the present invention, includingvarious tabs, buttons, rollovers, sliders, check boxes, dialog boxes,cascading menus, touch buttons, pop-up windows, drop-down lists, textmessages, scroll bars, status bars, and time indicators, etc. Buttonsmay also appear in a plurality of button states, such as normal,selected, default, and unavailable.

FIG. 21 represents a flowchart illustrating an exemplary embodiment ofthe use of PNUT-type commands by a PLD-based device, such as dataprotection system 1, in accordance with the present invention. At step420 the user preferably presses update button 176 of data protectionsystem 1 (as illustrated in FIG. 9). At step 422, data protection system1 is configured for PNUT-type commands (e.g., the PLD/FPGA may bereconfigured from packet filtering to PNUT-type communications, aspreviously described) and update-enabled LED 218 preferably isilluminated indicating data protection system 1 is ready to update (andready LED 216 preferably is extinguished). At step 424, data protectionsystem 1 preferably sends ID command 280 to update station 274 (whichpreferably identifies data protection system 1, such as describedelsewhere herein), then proceeds to step 426. At step 426, dataprotection system 1 preferably waits for the next command from updatestation 274. At step 428, data protection system 1 preferably receivesget configuration command 282 (as discussed in connection with FIG. 15)from update station 274, then proceeds to step 430, where dataprotection system 1 preferably transmits configuration data command 284with new configuration information to update station 274 (as illustratedand described in relation to FIG. 15). At step 432, after havingtransmitted configuration data command 284, data protection system 1preferably waits for processed command 286 from update station 274 for aspecified time interval (as also illustrated in FIG. 15). At step 434data protection system 1 receives processed command 286, then preferablyproceeds to step 436, where data protection system 1 determines if moreconfiguration information must be sent to update station 274. If moreconfiguration information must be transmitted to update station 274,then data protection system 1 preferably returns to step 430 andtransmits configuration data command 284 to update station 274. However,if data protection system 1 does not need to transmit more configurationinformation at step 436, then data protection system 1 preferablyproceeds to step 426 and waits for a command from update station 274.The configuration information transmitted from data protection system 1,as discussed in connection with FIG. 15, preferably provides informationthat defines the PNUT-type command protocols/formats for the commandsthat the particular PNUT-enabled device, e.g., data protection system 1,in accordance with which the PNUT-enabled device operates. Thus, updatestation 274 and data protection system 1 may engage in PNUT-typecommunications based on the particular commands, core or custom, thatare supported by the particular PNUT-enabled device.

If, on the other hand, in accordance with the present invention, dataprotection system 1 does not receive processed command 286 in thespecified time interval at step 434, then data protection system 1preferably proceeds to step 438. At step 438, data protection system 1preferably determines whether processed command 286 was successfullyreceived within the maximum number of attempts allowable. If dataprotection system 1 received processed command 286 within the maximumnumber of allowable attempts, then data protection system 1 proceeds tostep 430. However, if data protection system 1 did not receive processedcommand 286 within the maximum number of allowable attempts, then dataprotection system 1 proceeds to step 440. At step 440, data protectionsystem 1 preferably transmits error command 364 (as described inconnection with FIG. 17) and proceeds to step 426, where data protectionsystem 1 waits for a command from update station 274.

In accordance with the present invention, at step 442 data protectionsystem 1 preferably receives start update command 292 from updatestation 274 (as illustrated in FIG. 15), then proceeds to step 444. Atstep 444, data protection system 1 preferably transmits start updatecommand 292, then proceeds to step 446. At step 446, update-enabled LED218 on data protection system 1 preferably is flashed and update-failedLED 220 is extinguished (as illustrated in FIG. 10) and data protectionsystem 1 then proceeds to step 448. At step 448, data protection system1 preferably receives update data command 296 from update station 274 ina specified time interval (as illustrated in FIG. 15). If dataprotection system 1 does not receive update data command 296 from updatestation 274 at step 448, then data protection system 1 proceeds to step474, where data protection system 1 preferably transmits error command364 and sends a signal to flash update-failed LED 220 on data protectionsystem 1 (as described in connection with FIG. 10). Data protectionsystem 1 then proceeds to step 426 and waits for a command from updatestation 274.

At step 448 if data protection system 1 receives update data command 296in accordance with the present invention, then data protection system 1proceeds to step 450 and preferably transmits received command 298 toupdate station 274 (as illustrated in FIG. 15). At step 452, dataprotection system 1 preferably writes new command data to flash (orother non-volatile memory) via controller 164 (see FIG. 9), thenproceeds to step 454. At step 454, data protection system 1 preferablytransmits processed command 300 to update station 274, then proceeds tostep 456. At step 456, data protection system 1 waits for a command fromupdate station 274. As explained earlier, data protection system 1 mayreceive a plurality of update data commands 296, 302, etc. from updatestation 274 in order for the desired amount of configuration data/bitstream to be transmitted in a plurality of packets. For example, ifupdate station 274 does not receive an update data command from dataprotection system 1 in a predetermined or other amount of time, thenupdate station 274 preferably retransmits an update data command to dataprotection system 1 a predetermined or other amount of time, such as 5seconds, until data protection system 1 acknowledges the command with areceived command. Thus, at step 458 upon receipt of update data command296, 302, etc. from update station 274, data protection system 1preferably determines whether update data command 296, 302, etc.contains data not previously received. If data protection system 1recognizes new data in update data command 296, 302, etc., then dataprotection system 1 proceeds to step 450, where data protection system 1preferably retransmits received command 298, 304, etc. to update station274. If, on the other hand, data protection system 1 does not recognizenew data in update data command 296, 302, etc., then data protectionsystem 1 preferably proceeds to step 454, where data protection system 1retransmits processed command 300, 306, etc. to update station 274.

With further reference to FIG. 21, in accordance with the presentinvention, if data protection system 1 receives update complete command308 from update station 274 (as illustrated in FIG. 15.), then dataprotection system 1 performs checks on the updated configurationdata/bitstream at step 460; data protection system 1 then proceeds tostep 462. At step 462, data protection system 1 determines if thebitstream from update station 274 is valid (for example, data protectionsystem 1 may perform a checksum or other check to ensure that the datafor reconfiguring the PLD/FPGA has been completely and accuratelyreceived). If the bitstream has been determined to be valid, then dataprotection system 1 proceeds to step 464, where data protection system 1preferably notifies the controller to make or indicate thenewly-received configuration/bitstream (which preferably has been storedin non-volatile memory) is valid, such as by setting flag or otherindicator that the bitstream is valid. Data protection system 1 thenproceeds to step 466, where data protection system 1 preferablytransmits update complete command 310 with successful code a specificnumber of times to update station 274 (as illustrated in FIG. 15). Atstep 468, data protection system 1 preferably terminates flashingupdate-enabled LED 218 (as illustrated in FIG. 10) and proceeds to step426, where data protection system 1 waits for a command from updatestation 274.

However, if the bitstream is invalid at step 462, then data protectionsystem 1 proceeds to step 470, where data protection system 1 preferablytransmits update complete command 310 with unsuccessful code to updatestation 274. In accordance with the present invention, window 384 inbrowser 276 of update station 274 (as illustrated in FIG. 18) preferablyindicates that the update session failed. The user preferably pressesupdate button 176 again to cancel and reset data protection system 1.(In an alternate embodiment, if data protection system 1 is unsuccessfulafter receiving update complete command 308 for the final update packet,update station 274 preferably transmits a last packet a specified numberof times and informs the user via browser 276 that the update wasunsuccessful.) Data protection system 1 then proceeds to step 472, wheredata protection system 1 sends a signal to flash update-failed LED 220(as described in connection with FIG. 10). Data protection system 1 thenproceeds to step 426, where data protection system 1 preferably waitsfor a new start update command 292 from update station 274. As explainedearlier, preferably after data protection system 1 transmits startupdate command 292, data protection system 1 may continually flashupdate-enabled LED 218 until the successful completion of the update.Upon receipt of a new start update command 292 (at step 442), dataprotection system 1 transmits start update command 294 to update station272 (at step 444) and then preferably extinguishes update-failed LED 220(at step 446).

If all commands are received and successfully written to nonvolatilememory or storage, such as flash, EPROM, hard drive, or batterybacked-up RAM, etc., then data protection system 1 may be rebooted orconfigured using the new configuration bitstream. At step 476, dataprotection system 1 preferably receives terminate command 358 (asdescribed in connection with FIG. 17) and proceeds to step 478. At step478, data protection system 1 preferably transmits terminate command 358to update station 274 a specified number of times, then proceeds to step480. At this time the user is preferably notified in browser 276 thatthe update procedure was successful. At step 480, data protection system1 preferably informs the controller that it should reconfigure thePLD/FPGA using the new configuration bitstream, which upon completionreconfigures data protection system 1 in order to once again filterpackets and provide data security, but based on the new configurationbitstream transmitted during the PNUT communication session. Visualfeedback of the successful completion of the PLD/FPGA configurationpreferably is given via illumination of ready LED 216. At step 482, theprocess has ended.

In accordance with alternative embodiments of the present invention, theuser may also initiate loading of the new configuration bitstream bypushing the update button a second time. At step 484, the user may pressupdate button 176 of data protection system 1 and data protection system1 may then proceed to step 478. At step 478, data protection system 1preferably transmits terminate command 358 to update station 274 aspecified number of times, then proceeds to step 480. Again, at step480, data protection system 1 preferably informs the controller that itshould reconfigure the system to provide data security in accordancewith the new configuration bitstream, and then the process ends at step482.

In yet another alternative embodiment, data protection system 1continues sufficient non-volatile memory to retain the previousconfiguration bitstream as well as the new configuration bitstream. Inaccordance with such embodiments, if the loading of the newconfiguration bitstream does not result in the expected operation, theuser may, for example, depress and hold for a predetermined durationreset button 182 (see FIG. 10), which will cause data protection system1 to reconfigure using the previous configuration bitstream. Stillalternatively, in other embodiments in an initial step data protectionsystem 1 transmits the current configuration bitstream using PNUTcommands from data protection system 1 to update station 274, whichstores the current configuration bitstream prior to sending the updatedconfiguration bitstream to data protection system 1.

As will be appreciated, implementing PNUT protocols with PLD-baseddevices will allow paralleling, wherein multiple processes can beexecuted simultaneously, producing faster network communication thanconventional systems. It should also be understood that the presentinvention is not limited to this update configuration, for alternativeembodiments of the PNUT-type commands may be implemented. Moreover, itshould further be understood that PNUT protocols are not limited to asingle application, as exemplified with updating data protection system1, but can support a variety of applications, including filtering,logging, polling, testing, debugging, monitoring, etc.

FIG. 22 illustrates an alternate embodiment of a PLD-based deviceconnected to one server, which is preferably networked to another serverfor downloading custom and/or core command data. Update station 274 onserver 272 may be coupled to network 486, which may be a LAN, WAN,Internet, etc., which in turn is coupled to server 488. In thisembodiment, during a communication session PNUT-enabled device 268preferably transmits one or more configuration data packets, whichincludes configuration data command 284 that includes a URL or otherfile location identifier. In accordance with such embodiments,PNUT-enabled device 268 does not send its command protocols/formats toupdate station 274, but instead sends information from which thelocation of its command protocols/formats may be determined. Thisindication may be direct (such as via a URL or other locationidentifier), or indirect (such as via an ID number for the PNUT-enableddevice, which update station 274 may “map” to the URL or other locationsidentifier). Thus, in accordance with such embodiments, PNUT-enableddevice 268 may convey the location (or information from which thelocation may be determined) where update station 274 may go to obtainthe commands and command protocols that are supported or applicable forthe particular PNUT-enabled device (which may then be downloaded byupdate station 274). Thus, the command list and command protocols neednot be conveyed via packet transmission from PNUT-enabled device 268 toupdate station 274 as with other embodiments, but instead update station274 may go to the specified location to obtain the commands and commandprotocol information.

Alternatively, PNUT-enabled device 268 may transmit a unique ID numberor serial number, which is mapped to the command list and commandprotocol information, which may reside in a command library on updatestation 274. What is important is that update station 274 be able toobtain the command list and command protocols for the particularPNUT-enabled device 268 in order to be able to exchange update or othercommands with PNUT-enabled device 268 using the commands/commandprotocols supported by PNUT-enabled device 268. In preferredembodiments, update station 274 need only obtain custom commandprotocols/formats, as in such embodiments the core commands are commonto all (or many) PNUT-enabled devices and are already known to updatestation 274.

FIG. 23 illustrates an exemplary embodiment of how a PNUT-enabled devicemay convey the command protocol/format information for PNUT-typecommands with a standard formatting specification, such as XML(Extensible Markup Language). The configuration data, or command listand protocols/formats, of PNUT-type commands preferably specifies PNUTcustom commands, not core commands (again, core commands preferably arecommon to all or many PNUT-enabled devices and are known to the updatestation, although in other embodiments core command information alsocould be conveyed in the same manner as the custom commands).Configuration data also preferably comprises a plurality of types ofdata (such as number values, URLs, device descriptions, versioninginformation, various attributes, etc.) and describes the structure ofmessages, what values are acceptable, which fields are status flags, andwhat status flag values mean in descriptive terms. Likewise,configuration data of PNUT-type commands may also contain data on devicetypes and device images (showing current and previous states of LEDs,buttons, etc.).

In preferred embodiments of the present invention, the configurationdata of PNUT commands may be implemented with a standard formattingspecification, such as XML (Extensible Markup Language). As will beapparent to one skilled in the art, XML is a universal and extensibleformatting specification that uses a rules-based classification system.A standard formatting specification, such as XML, may be used todescribe all of the PNUT packets and the format of the core and customPNUT-type commands. As explained earlier, since the order of PNUT-typecommands is important to optimal implementation, preferably the order inwhich PNUT-type commands are placed into XML should show up in themessage.

With reference to FIG. 23, in an exemplary embodiment of the presentinvention, PNUT configuration data (command protocols, formats, etc.)are preferably implemented with XML code 492. In accordance with thepresent invention, <msg> tag 494 serves as a type of XML tag. Asapparent to one skilled in the art, XML provides customizable grammar.For example, <msg> tag 494 may be customized according to developerneeds in accordance with PNUT-type commands. XML tags are comprised ofattributes and values. For example, in <msg> tag 494, the attribute idat 496 has a value of “128.” It is important to note that in preferredembodiments the attribute id is the PNUT op code.

In accordance with the present invention, PNUT command names provide anindirect look-up mechanism that is independent of the op code. Updatestart command 498, for example, is a PNUT command name that ispreferably formatted as “UPDATE_START_CMD.”

Each command preferably includes <desc> tag 502, which includesdescription 504. For example, update start command 498 preferably isdescribed as “Start PNUT update.” In accordance with the presentinvention, descriptions may be preferably printed out as messages in alog file or in a dialog box. This allows application code thatcommunicates with PNUT-based devices to generate user messages through adata driven approach.

As will be apparent to one skilled in the art, it is common in networkapplications to issue a command and then receive a response aboutwhether the command was successful or not. PNUT protocols providesupport for describing a status field within a message using the<status> tag. The <status> tag will have a success attribute thatspecifies the field value when the command was successful. Additionally,a tag will contain two or more <desc> tags that describe each acceptablevalue and a descriptive string specified as XML TEXT. (It is notstrictly a requirement that all acceptable values must be specifiedusing <desc> tags.) For example, update complete command 513 has anattribute id of “136.” Status success field 514 of update completecommand 513 contains a plurality of event description values 518, eachof which is preferably comprised of value 520 and text description 522.Thus, event description value 518 of status success field 514 includesthe value “2” (as indicated at value 520) and the text string “Flashwrite failure” (as indicated at text description 522). In accordancewith the present invention, text description 522 may preferably beprinted in a dialog box or logged as “PNUT update could not be completedbecause of a Flash write failure.”

It should be appreciated that in preferred embodiments of the presentinvention, XML code used for PNUT-type commands preferably includes aplurality of tags (e.g., <msg>, <desc>, <bytes>, <status>, etc.) and aplurality of attributes (e.g., attribute id, attribute name, attributebyte size, attribute minimum byte size, attribute maximum byte size,etc). Furthermore, minimum values (e.g. minimum size 506) and maximumvalues (e.g. maximum size 508) may be preferably implemented todynamically define all legal values or specify a type of regularexpression. It should be noted that tags, attributes and other specificsillustrated in FIG. 23 are exemplary; what is important is that anexpedient way be provided for PNUT-enabled devices to convey the commandprotocol/format information to an update station, and XML has beendetermined to be particularly appropriate for this task. It should befurther appreciated that in preferred embodiments of the presentinvention, configuration data as formatted in a standard formattingspecifications, such as XML, may be compressed.

With reference to FIG. 24, PNUT protocols may be used with dataprotection system 1 and a variety of other devices that may be connectedto the network but do not require or implement the full TCP/IP stack.FIG. 24 illustrates other exemplary devices and appliances that may beused with PNUT protocols in accordance with the present invention. Theseexemplary devices suggest the range of possible home and officeappliances that are PLD-based and may utilize PNUT-type commands inaccordance with the present invention for networking to a computer orother PLD-based devices. These devices preferably include: commontelecommunications devices, such as pagers, cell phones, PDA's, and WAPphones; common office equipment, such as faxes, photocopiers, printers,desktop and laptop computers; common home appliances, such as freezers,refrigerators, washers, dryers, microwaves, and toaster ovens; andcommon entertainment equipment, such as radios, televisions, stereosystems, VCRs, handheld video games (e.g., Nintendo Gameboy™), and homevideo game systems (e.g., Sony Play Station™), etc. Thus, the presentinvention may support multiple physical layer connections and a widevariety of functions across networks, such as filtering, updating,monitoring, logging, polling, testing, and debugging, etc.

In accordance with the present invention, PNUT-type commands are alsouseful for transmitting and receiving a plurality of types of data, suchas bar code, magnetic card reader, weight, temperature, movement, size,light, color, speed, pressure, friction, elevation, thickness,reflectivity, moisture, camera feed, mouse movement, success/failurerates, etc.

In accordance with the present invention, communication can also occurbetween PNUT-enabled devices without a PNUT station. For example, a usermay connect a PDA to a LAN to update a file on a desktop computerconnected to the same LAN using PNUT-type commands. In anotherembodiment of the present invention, a user may store digital imagesfrom a camera to a storage device via a LAN connection. In anotherembodiment, a user may monitor the temperature of a cell biologydatabase stored in a −80 freezer with a PDA connected to the same LAN,but located in a different building. Thus, PNUT-enabled devices maycommunicate across a network without a PNUT station.

In accordance with the present invention, PNUT protocols alleviate thecurrently common problem of “versioning,” wherein software applicationschange with each updated version, but still must interoperate withearlier versions without corrupting the data. In accordance withpreferred embodiments, before data protection system 1 or anotherPLD-based device initiates a communication session with update station274, update station 274 issues a message requesting data identifying thesystem's capabilities, particularly the command list and/or commandprotocol supported or recognized by the system or device. Preferablydata protection 1 (or other device) then responds by transmitting apacket containing a description of its capabilities and commands, oralternatively with the location where the command list/protocols may befound, or still alternatively with an ID number, serial number or otheridentifier that may be used to determine the command list/protocols. Forinstance, the capabilities may include speeds, device addresses, buffersizes, etc., whereas the command descriptions may contain message ID,name, size, URL, state machine data (which may dictate the messagepassing protocol), etc. Upon receiving the packet with capabilities andcommand descriptions, update station 274 then preferably utilizes thisdata to generate a set of message formats, which ensure that messagesare in their proper formats for the particular PNUT-enabled device, andversion information, which ensures the proper communication codes. Aspreviously described, the description data may also include a URL thatpoints to a database that stores and retrieves the description data,thus reducing the processing and storage requirements of a PLD networkupdate transport device. This data may be uploaded in much the same waya printer may upload device drivers during its installation andconnection to a computer.

In alternate embodiment of the present invention, PNUT update station274 on server 272 may be implemented with an Access Control List (ACL).For example, in accordance with the present invention, update station274 receives the data packet containing the ID number from aPNUT-enabled device, such as data protection system 1, and matches thisID number to a corresponding number in its ACL. If the ID number matchesone of the ID numbers in the ACL, then update station 274 preferablycommunicates with the device. If the ID number of PNUT-enabled device268 does not match one of the ID numbers in the ACL, then update station274 terminates the communication session.

In accordance with the present invention, UDP checksum does not requirebeing set, allowing UDP headers to be pre-computed regardless of thedata packets transmitted. Ethernet checksum, for example, then may thenserve to catch transmittal errors. Since PNUT-enabled devicespre-compute IP and UDP headers, the design is compact. It should benoted that headers may have to be modified if the PNUT packet length isset by a command to a value other than the default length.

PNUT protocols are independent of UDP and therefore do not need to beimplemented on UDP. In alternate embodiments, PNUT protocols maypreferably be encapsulated within TCP, IP, or at the link layer, such asEthernet, IPX or Bluetooth. For example, if PNUT protocols areencapsulated within TCP, then they preferably would include alternatecommands, such as sequence and acknowledgment bit sets for three-wayhandshakes. Thus, communication across the transport layer with PNUTwould be more reliable and require end-to-end error detection andcorrection.

In an alternate embodiment of the present invention, PNUT protocols mayalso be broadcast over the Internet. Such an implementation wouldrequire using predefined multicast addresses, assigning IP addresses toPNUT-enabled devices, or using a PNUT station as an Internet gateway.For example, a PNUT station may act as a gateway because the server hasan IP address. Therefore, gateways, such as a plurality of PLD-baseddevices on a plurality of networks, may preferably communicate with eachother, integrating PNUT-type commands into other network protocols(e.g., Jini, CORBA, HTTP, DCOM, RPC, etc.). Thus, PNUT protocols mayreduce the amount of data required to operate and communicate acrossnetworks.

Although the invention has been described in conjunction with specificpreferred and other embodiments, it is evident that many substitutions,alternatives and variations will be apparent to those skilled in the artin light of the foregoing description. Accordingly, the invention isintended to embrace all of the alternatives and variations that fallwithin the spirit and scope of the appended claims. For example, itshould be understood that, in accordance with the various alternativeembodiments described herein, various systems, and uses and methodsbased on such systems, may be obtained. The various refinements andalternative and additional features also described may be combined toprovide additional advantageous combinations and the like in accordancewith the present invention. Also as will be understood by those skilledin the art based on the foregoing description, various aspects of thepreferred embodiments may be used in various subcombinations to achieveat least certain of the benefits and attributes described herein, andsuch subcombinations also are within the scope of the present invention.All such refinements, enhancements and further uses of the presentinvention are within the scope of the present invention.

What is claimed is:
 1. A method for updating the configuration of aprogrammable packet filtering device operating to filter packetsreceived from a packet-based network, wherein filtering rules are usedto determine whether a packet is to be junked, comprising the steps of:operating the packet filtering device in accordance with firstconfiguration data, wherein, in accordance with the first configurationdata, the packet filtering device receives packets including at leastfirst packets from the network, processes the first packets based on thefiltering rules, and transmits the processed first packets to anelectronic connection coupled to the packet filtering device, whereinthe packet filtering device filters the first packets at least in partbased on source or destination address information and based on thefirst configuration data; receiving second configuration data for thepacket filtering device sent from a computing system, wherein the secondconfiguration data is selectively received by the packet filteringdevice, wherein the second configuration data are different from thefirst configuration data; loading the second configuration data into thepacket filtering device; and operating the packet filtering device inaccordance with the second configuration data, wherein, in accordancewith the second configuration data, the packet filtering device receivespackets including at least second packets from the network, processesthe second packets based on the filtering rules, and transmits theprocessed second packets to the electronic connection coupled to thepacket filtering device, wherein packet filtering device filters thesecond packets at least in part based on source or destination addressinformation and based on the second configuration data; wherein adetermination is made as to whether each second packet will be junked,wherein bits are changed or data is truncated in a manner such that thesecond packet is corrupted or rendered invalid or unacceptable.
 2. Themethod of claim 1, further comprising the step of, after receipt of thesecond configuration data, storing the second configuration data innon-volatile memory coupled to the packet filtering device.
 3. Themethod of claim 2, wherein the non-volatile memory comprises Flashmemory, electrically erasable and programmable read only memory orbattery-backed-up random access memory.
 4. The method of claim 1,wherein the step of receiving second configuration data for the packetfiltering device sent from the computing system is selectively performedbased on version identification information for the packet filteringdevice provided from the packet filtering device to the computingsystem.
 5. The method of claim 4, wherein the version identificationinformation is used to determine an identification of the secondconfiguration data that are to be received by the packet filteringdevice.
 6. The method of claim 1, wherein the second configuration dataare stored in a location remote from the packet filtering device.
 7. Themethod of claim 6, wherein the location comprises storage coupled to thecomputing system.
 8. The method of claim 6, wherein the locationcomprises storage on a second network, wherein the computing systemaccesses the storage via the second network.
 9. The method of claim 1,wherein the packet filtering device does not implement a TCP/IP stack.10. The method of claim 1, wherein the packet filtering device comprisesan FPGA.
 11. The method of claim 1, wherein the packet filtering devicecomprises an Internet security system.
 12. The method of claim 11,wherein the Internet security system comprises a firewall system. 13.The method of claim 12, wherein the firewall system filters packetsreceived from a second network.
 14. The method of claim 1, wherein thepacket filtering device comprises programmable logic having at least afirst logic portion and a second logic portion, wherein, in response toloading of the second configuration data, the second logic portion isreconfigured and the first logic portion is not reconfigured.
 15. Amethod for updating the configuration of a programmable logicdevice-based packet filtering system (“packet filtering device”)operating to filter packets received from a packet-based network,wherein filtering rules are used to determine whether a packet is to bejunked, wherein the packet filtering device is one of a plurality ofpacket filtering devices coupled to receive packets from the network,comprising the steps of: operating the packet filtering device inaccordance with first configuration data, wherein, in accordance withthe first configuration data, the packet filtering device receivespackets including at least first packets from the network, processes thefirst packets including at least a filtering operation based on thefiltering rules, and transmits the processed first packets to anelectronic connection coupled to the packet filtering device, whereinthe packet filtering device processes the first packets at least in partbased on source or destination address information and based on thefirst configuration data; receiving second configuration data for thepacket filtering device sent from a computing system over the network,wherein the second configuration data is selectively received via one ormore second packets via the network, wherein the second configurationdata are different from the first configuration data; loading the secondconfiguration data into the packet filtering device; and operating thepacket filtering device in accordance with the second configurationdata, wherein, in accordance with the second configuration data, thepacket filtering device receives packets including at least thirdpackets from the network, processes the third packets including at leasta filtering operation based on the filtering rules, and transmits theprocessed third packets to the electronic connection coupled to thepacket filtering device, wherein packet filtering device processes thethird packets at least in part based on sources or destination addressinformation and based on the second configuration data; wherein adetermination is made as to whether each third packet will be junked,wherein bits are changed or data is truncated in a manner such that thethird packet is corrupted or rendered invalid or unacceptable.
 16. Themethod of claim 15, wherein after receiving each of the one or moresecond packets, the packet filtering device saves a portion of thesecond configuration data from the one or more second packets innon-volatile memory coupled to the packet filtering device.
 17. Themethod of claim 16, wherein the packet filtering device saves a portionof the second configuration data in the non-volatile memory coupled tothe packet filtering device from each of the one or more second packetsprior to sending at least a fourth packet acknowledging receipt of acorresponding one of the one or more second packets.
 18. The method ofclaim 16, wherein, after receipt by the computing system of a fourthpacket that acknowledges receipt by the packet filtering device of afinal second packet, the computing system sends at least a fifth packetto the packet filtering device, wherein, in response to the fifthpacket, the packet filtering device saves one or more data indicatingthat all of the second configuration data have been received and storedin the non-volatile memory.
 19. The method of claim 15, wherein thesecond configuration data is loaded into the packet filtering device inresponse to a user command from a user.
 20. The method of claim 19,wherein the user command comprises a command input by a switch.
 21. Themethod of claim 20, wherein the switch comprises a physical switch onthe packet filtering device.
 22. The method of claim 21, wherein theuser command comprises a command entered via the computing system. 23.The method of claim 15, wherein one or more display devices providevisual feedback of the status of the packet filtering device.
 24. Themethod of claim 23, wherein the one or more display devices comprise oneor more LEDs.
 25. The method of claim 23, wherein the one or moredisplay devices comprise a liquid crystal display.
 26. The method ofclaim 15, wherein at least certain of the packets sent by the computingsystem comprise broadcast packets having a predetermined address thatare directed to a first predetermined port.
 27. The method of claim 15,wherein at least certain of the processed first packets transmitted bythe packet filtering device comprise packets having a predeterminedsource address that are directed to a first predetermined port.
 28. Themethod of claim 15, wherein the packet filtering device comprises adevice selected from the group consisting of a PDA, a mobile telephone,a portable computer, a game system, a household appliance, a videorecording system and a paging device.
 29. The method of claim 15,wherein the packet filtering device operates in accordance with a firstset of filtering rules based on the first configuration data, whereinthe packet filtering device operates in accordance with a second set offiltering rules based on the second configuration data.
 30. The methodof claim 15, wherein the packet filtering device transmits packetscontaining information identifying one or more commands to which thepacket filtering device responds, wherein the information is transmittedat least in part in the form of XML code.